httrack --near --display --extra-log --keep-alive --tolerant --can-go-up-and-down --check-type=2 --urlhack --timeout=60 --retries=9 -O ./intranet/ http://intranetTo use proxy, add -P 127.0.0.1:8080 .
When something go wired, delete output folder (eg. when httrack don't want to use proxy)
For proxy we can use burp:
- User option tab, set user
- proxy tab run proxy
Depending on your system setup, phishing test emails which contain certain types of attachments may be blocked. See below for known mail servers that reject certain attachment types. We recommend using alternate file types when testing your users:
| Mail Server | Type of Attachment Rejected |
|---|---|
| Google Suite | Word Documents with Macros (.doc) |
| Excel Documents with Macros (.xls) | |
| Zipped Word Documents with Macros (.zip) | |
| Zipped Excel Documents with Macros (.zip) | |
| PDFs | |
| Office 365 | All Attachments with Macros (.ppt, .xls, and .doc) |
| PDFs |
[server] nc -nvlp 4444 > file
[client] nc -nv a.b.c.d 4444 < file
[debian_client] nc -q 0 -nv a.b.c.d 4444 < file
Multiply files:
tar zc *.txt | nc -l 4444
nc a.b.c.d 4444 | tar zx
Build number (third part of xx.yy.zzzz) can vary depends on service packs or other big updates. Check wiki to get specific verisions.. Windows 10:
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
Windows 7/Server 2008R2:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Windows Vista (64bit):
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
Windows XP:
Microsoft Windows [Version 5.1.2600]
Copyright (c) 1985-2001 Microsoft Corp.
Sometimes some network devices respond to every nmap host discovery probe, as it is alive.:
# nmap -PA -sn 192.168.230.0/26 | grep done
Nmap done: 64 IP addresses (64 hosts up) scanned in 0.24 seconds
-PA force to use default ACK ping. When changed to SYN ping, we have correct results:
# nmap -PS1-1024 -sn --reason 192.168.230.0/26
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-12 22:10 CET
Nmap scan report for 192.168.230.1
Host is up, received reset ttl 253 (0.0085s latency).
Nmap scan report for 192.168.230.4
Host is up, received reset ttl 62 (0.0089s latency).
Nmap scan report for 192.168.230.21
Host is up, received reset ttl 253 (0.0085s latency).
Nmap done: 64 IP addresses (3 hosts up) scanned in 100.34 seconds
And when we change to ICMP ping, we have results much faster:
# nmap -PP -sn --reason 192.168.230.0/26
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-12 22:04 CET
Nmap scan report for 192.168.230.1
Host is up, received timestamp-reply ttl 253 (0.0082s latency).
Nmap scan report for 192.168.230.4
Host is up, received timestamp-reply ttl 62 (0.0091s latency).
Nmap scan report for 192.168.230.21
Host is up, received timestamp-reply ttl 62 (0.0086s latency).
Nmap done: 64 IP addresses (3 hosts up) scanned in 1.00 seconds
We can debug this situation like that:
# nmap -sn -d -n --packet-trace 192.168.230.15
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-11 15:01 CET
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 15:01
Scanning 192.168.230.15 [4 ports]
Packet capture filter (device ens192): dst host 192.168.2.18 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.230.15)))
SENT (0.1003s) ICMP [192.168.2.18 > 192.168.230.15 Echo request (type=8/code=0) id=1312 seq=0] IP [ttl=41 id=63460 iplen=28 ]
SENT (0.1005s) TCP 192.168.2.18:41976 > 192.168.230.15:443 S ttl=45 id=44629 iplen=44 seq=2168741277 win=1024 <mss 1460>
SENT (0.1006s) TCP 192.168.2.18:41976 > 192.168.230.15:80 A ttl=37 id=18925 iplen=40 seq=0 win=1024
SENT (0.1007s) ICMP [192.168.2.18 > 192.168.230.15 Timestamp request (type=13/code=0) id=30184 seq=0 orig=0 recv=0 trans=0] IP [ttl=48 id=48132 iplen=40 ]
>> RCVD (0.1016s) TCP 192.168.230.15:80 > 192.168.2.18:41976 RA ttl=254 id=55124 iplen=40 seq=2168741277 win=1024
>> We got a TCP ping packet back from 192.168.230.15 port 80 (trynum = 0)
Completed Ping Scan at 15:01, 0.10s elapsed (1 total hosts)
Overall sending rates: 41.16 packets / s, 1563.90 bytes / s.
Nmap scan report for 192.168.230.15
>> Host is up, received reset ttl 254 (0.0011s latency).
Final times for host: srtt: 1065 rttvar: 5000 to: 100000
Read from /usr/bin/../share/nmap: nmap-payloads.
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Raw packets sent: 4 (152B) | Rcvd: 1 (40B)
Based on: https://www.dionach.com/blog/active-directory-password-auditing
C:\> ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\audit
ifm: quit
ntdsutil: quit
NtdsAudit.exe "ntds.dit" -s "SYSTEM" -p pwdump.txt --users-csv users.csv
When using as a root user, disable:
- fst000 Writable files outside user's home - as root we can write to a lots of files
- fst500 Files owned by user 'root' - lots critical files are owned by root and no one else
ssh user@${srv} 'url="https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh"; cmd="curl -s ${url} -Lo"; command -v curl 2>&1>/dev/null || cmd="wget ${url} -O"; ${cmd} lse.sh && chmod 700 lse.sh && ./lse.sh -l2 -i -s usr,sud,sys,sec,ret,net,srv,pro,sof,ctn,fst0180,fst190,fst510,fst520,fst530,fst540 -c && rm lse.sh' | tee lse_report_`date +%F`_${srv}.txt