Shuciran Pentesting Notes

Squid Proxy (tcp-3128)

If a Squid Proxy is enabled we can configure our proxychains to enumerate services behind port tcp-3128, all we need to do is configure the /etc/proxychains.conf file as follows: [ProxyList] # add...

DNS (tcp & udp-53)

DNS RECORDS Dig Retrieve DNS record dig @10.10.10.224 realcorp.htb # Retrieve DNS record dig @10.10.10.224 realcorp.htb ns # Retrieve Name Servers dig @10.10.10.224 realcorp.htb axfr # Transfer Zo...

Silver Ticket Attack

Ticketer To generate a Silver ticket we need 3 resources: NTLM Hash DC SID SPN Getting NTLM Hash To create a silver ticket, we use the password hash and not the cleartext password. If a...

SeImpersonatePrivilege

JuicyPotato The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System. Normally, these privileges ...

Web Fuzzing

WFUZZ Basic Fuzzing: wfuzz -c -t 200 --hc 404 -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -u http://10.10.10.203/FUZZ Examples: Worker [[StreamIO#^a1b013]] Subdomain fuzzing: wfuzz...

MSSQL (tcp-1433)

Connection impacket-mssqlclient sa@10.11.1.31 -p 1433 -db tempdb # Sometimes you need to specify a Windows Authentication impacket-mssqlclient Archetype/sql_svc:M3g4c0rp123@10.129.95.187 -windows-...

Password Spraying

Crackmapexec While executing a Password Spraying attack with crackmapexec always run the --continue-on-success flag, sometimes there are some cases when two users can have the same password cr...

Creds.xml

In order to create an XML file with credentials via powershell we can run the following commands: C:\Users\nico\Desktop> $credential = Get-Credential C:\Users\nico\Desktop> $credential | Exp...

Domain Admin Techniques

This is a collection of techniques to get Domain Admin via multiple techniques. Assign user to a group Import-Module ./PowerView.ps1 $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -As...

Firefox Cache Passwords

Firefox Cache passwords First go to the path file session for the user: # For Windows: C:\\Users\\nikk37\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\br53rxeg.default-release # For Linux /.mozi...