diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index 5675dac..e570f2b 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -120,6 +120,27 @@ SMB Beacon uses Named Pipes. You might encounter these error code while running | 53 | Bad Netpath | You have no trust relationship with the target system. It may or may not be a beacon there. | +### SSH Beacon + +```powershell +# deploy a beacon +beacon> help ssh +Use: ssh [target:port] [user] [pass] +Spawn an SSH client and attempt to login to the specified target + +beacon> help ssh-key +Use: ssh [target:port] [user] [/path/to/key.pem] +Spawn an SSH client and attempt to login to the specified target + +# beacon's commands +upload Upload a file +download Download a file +socks Start SOCKS4a server to relay traffic +sudo Run a command via sudo +rportfwd Setup a reverse port forward +shell Execute a command via the shell +``` + ### Metasploit compatibility * Payload: windows/meterpreter/reverse_http or windows/meterpreter/reverse_https diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 3fb5bad..f62f7c1 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -16,6 +16,7 @@ * [Execute from Memory](#execute-from-memory) * [Mimikatz](#mimikatz) * [Pass the Hash - PSExec](#pass-the-hash---psexec) + * [Use SOCKS Proxy](#use-socks-proxy) * [Scripting Metasploit](#scripting-metasploit) * [Multiple transports](#multiple-transports) * [Best of - Exploits](#best-of---exploits) @@ -188,6 +189,12 @@ SMBPass 598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d SMBUser Lambda no The username to authenticate as ``` +### Use SOCKS Proxy + +```powershell +setg Proxies socks4:127.0.0.1:1080 +``` + ## Scripting Metasploit Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`. diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 32b8d28..9c7c665 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -18,6 +18,7 @@ * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords) * [Passwords in unattend.xml](#passwords-in-unattendxml) * [Wifi passwords](#wifi-passwords) + * [Sticky Notes passwords](#sticky-notes-passwords) * [Passwords stored in services](#passwords-stored-in-services) * [Powershell history](#powershell-history) * [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks) @@ -446,6 +447,10 @@ Oneliner method to extract wifi passwords from all the access point. cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on ``` +### Sticky Notes passwords + +The sticky notes app stores it's content in a sqlite db located at `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` + ### Passwords stored in services Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)