root:~#
root:~#

Post Exploitation Resources

 revsh3ll included in Resources & Tools
  About 1600 words 8 minutes 

Post-Exploitation

Abusing vulnerabilities and misconfigurations to maintain access, escalate privileges, and/or exfiltrate sensitive data.

With our initial access to an internal network, we now focus on acquiring higher-level access through privilege escalation, pivoting to other hosts through lateral movement, stealing sensitive information through data exfiltration, and maintaining access through persistent methods.

Few examples:

  • Abusing misconfigurations in Active Directory, internal services, and/or hosts to gain new privileges and access.
  • Bypassing egress filtering through tunneling methods.
  • Disabling and/or bypassing AV solutions.
  • Stealing sensitive information from compromised hosts.
  • Creating persistence to ease our access back into the compromised network/host.

This is a list of tools which use exploitation techniques (E.g., Abusing remote services, applications, valid accounts, and more) to gain access to the target.  

Exploit Warning!
Use caution when downloading and/or executing any malicious code! I’m not responsible for your actions. Only attack systems you have written authorization to!


Regarding my notes:

  • The brackets ( ) after each tool will indicate if the tool is:

    1. (Built-in) = Within Kali’s repo. If not already installed, run the following:

      1

      sudo apt update && sudo apt install *tool-to-install*

    2. (External) = Outside Kali’s repo. It’ll need downloaded then installed.

    3. (Website) = Part of a website.

    4. There’s others but they’re self-explanatory.

  • I’ll also try specifying any restrictions I know of.
    1. API access needed.
    2. Paywalls.
    3. etc.

AIO Resources

  1. HackingArticles.in - (Website)

    • Quick and simple walkthrough guides to various tools and techniques.

  2. HackTricks - (Website)

    • Great resources for anything penetration testing and red teaming.

  3. 0xJs RedTeam CheatSheet - (GitHub Repo)

    • CheatSheet to anything Red Team.

  4. SwissKy - (GitHub Repo)

    • AIO repo focusing on webapp payloads but includes many other pentesting & red teaming resources.
    • Home for the popular PayLoadAllTheThings repo.

  5. The Hive - (Website)

    • Great resource to search and learn from. Holds many resources that other blogs may lack.
    • Overall great to keep in your notes.

Active Directory

AD Enumeration

  1. adidnsdump - (External)

    • “Active Directory Integrated DNS dumping by any authenticated user”.
    • Great for initial recon once an AD creds acquired.

  2. BloodHound - (Built-in)

    • Ingests Sharphound/PowerView output and presents AD object relations in a graph-theory approach.

  3. enum4linux-ng - (Built-in)

    • Provides Windows/Samba Enumeration.
    • Newer version of the older enum4linux.

  4. Kerbrute - (External)

    • Kerberos pre-auth bruteforcer.
    • Wonderful tool for enumerating unknown and valid users!
    • Also does password spraying!

  5. ldapdomaindump - (External)

    • Collects and parses info available through LDAP then dumps into a human readable HTML format.
    • Also supports json and csv,tsv.

  6. ldapsearch - (Built-in)

    • Connects, binds, and queries against the LDAP server.

  7. PowerView.ps1 - (Built-in)

  8. SharpHound - (External)

    • Bloodhound collector.
    • Three versions available:
      1. Sharphound.ps1 - PowerShell script for running Sharphound. However, the latest release of Sharphound has stopped releasing the Powershell script version. This version is good to use with RATs since the script can be loaded directly into memory, evading on-disk AV scans.
      2. Sharphound.exe - A Windows executable version for running Sharphound.
      3. AzureHound.ps1 - PowerShell script for running Sharphound for Azure (Microsoft Cloud Computing Services) instances. Bloodhound can ingest data enumerated from Azure to find attack paths related to the configuration of Azure Identity and Access Management.

  9. smbclient - (Built-in)

    • Access SMB/CIFS resources on servers.
    • “FTP-like” client.

  10. smbmap - (Built-in)

    • Another tool that works well with enum4linux to enum SMB.

  11. Snaffler - (External)

    • Automates the process of enumerating sensitive data dumps from AD file shares.

AD Exploits & Attacks

  1. CrackMapExec - (Built-in)

    • “Swiss army knife of pentesting networks”.
    • Attack AD networks via different protocols.
    • Being replaced with NetExec.

  2. DomainPasswordSpray - (External)

    • Powershell tool for password spraying from Windows host.
    • Import-Module and run!

  3. Evil-WinRM - (Built-in)

    • Have winrm creds, this will allow you to create a overpowered “evil”-winrm shell.

  4. Impacket - (Built-in)

    • “Impacket is a collection of Python classes for working with network protocols.”

  5. Inveigh - (External)

    • .NET version of responder, which can run from a Windows host.
    • Great when doing a external to internal attack and need a LLMNR poisoner, among many other protocols.

  6. mimikatz - (Built-in)

    • Various authentication attacks for the Windows environment.

  7. mitm6 - (External)

    • “pwning IPv4 & IPv6”
    • Takes advantage of misconfigured IPv6 in Windows AD environments.

  8. NetExec - (External)

    • “The Network Execution Tool”.
    • Replacement for CrackMapExec.

  9. noPac - RCE - (External)

    • Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user.
    • Won’t work if KB5008380 & KB5008602 are installed.

  10. PetitPotam - (External)

    • Tools for Kerberos PKINIT and relaying to AD CS.

  11. PrintNightmare - RCE - (External)

    • C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527.

  12. Responder - (Built-in)

    • “Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.”

  13. Rubeus - (External)

    • Helps automate various Kerberos attacks, like kerboroasting.
    • Part many AD tools @ GhostPack.

  14. ZeroLogon - (External)

    • Tool to check if ZeroLogon in possible without exploiting(breaking) environment!

Pivoting Tools

  1. Chisel - (External)

    • TCP/UDP tunnel over HTTP, secured via SSH, written in Golang.
    • Supports authentication, auto-connect, quick speeds, etc.
    • Requirements:
      • Chisel binary on both compromised host and attackbox.

  2. plink - (External)

    • On newer systems check for SSH first, then fallback to plink if needed.
    • Always make sure you have the latest version.
    • Requirements:
      • plink.exe binary on compromised Windows host.

  3. proxychains4 - (Build-in)

    • Only works with TCP protocol.
    • Allows you to redirect connections through a SOCKS4/5 or HTTP proxies.
    • You use this with e.g. chisel, ssh, etc. to create tunnels.

  4. socat - (Built-in or External)

    • The relay king and considered a netcat on steroids.
    • The syntax can be difficult but highly worth learning!
    • Requirements:
      • socat binary on compromised system. It’s a common found binary on linux systems.
      • Windows binary can be found here: socat.exe.

  5. ssh - (Build-in)

    • Flexible binary allowing file transfers, tunneling, port forwarding, proxying, etc.
    • Requirements:
      • SSH server configured for SSH client access.

  6. SShuttle - (External)

    • Transparent Proxy, via SSH, as an interface.
    • Acts like a VPN tunnel and Supports DNS tunneling.
    • No admin privs required.
    • Requirements:
      • Linux Only.
      • SSH and Python on compromised host.

Linux Local PrivEsc

Resources - Linux LPE

  1. Abusing SUDO for LPE - (Website)

  2. GotMilk’s Basic Linux PrivEsc guide - (Website)

  3. Compilation of TCM’s LPE course - (Website)

  4. HackTrick’s - Linux PrivEsc Checklist - (Website)

  5. swisskyrepo’s - Linux PrivEsc Resources - (Website)

Enumeration - Linux LPE

  1. LinEnum - (External)

    • Scripted Local Linux Enumeration & Privilege Escalation Checks.

  2. LinPEAS - (External)

    • Enumerates a Linux host for PrivEsc, etc.

  3. Linux Exploit Suggester - (External)

    • Linux PrivEsc auditing tool.

  4. Linuxprivchecker.py - (External)

    • “Linux Privilege Escalation Check Script”.

  5. Pspy - (External)

    • “Monitor linux processes without root permissions”.

Attacks & Exploits - Linux LPE

  1. saleemrashid’s CVE-2019-18634 PoC - (External)

    • Exploit for CVE-2019-18634.
    • Needed: Sudo version < 1.8.26 with pwfeedback enabled.

  2. DirtyCow - (External)

    • DirtyCow kernel exploit. Simply transfer to target, compile, and run.

  3. GTFObins - (Website)

    • Curated list of Unix binaries which assist in Unix LPE.

  4. Linux Kernel Exploits - (Github Repo)

    • Older collection of kernel exploits by lucyoa.

  5. SSH Ket PRNG - (Website)

    • “This module describes how to attempt to use an obtained authorized_keys file on a host system.”

  6. SUDO Killer - (External)

    • “A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.”

Windows Local PrivEsc

Resources - Windows LPE

  1. Explained list of Potato attacks and associated links - (Website)

  2. Windows PrivEsc Guide by absolomb - (Website)

  3. swisskyrepo’s - Windows PrivEsc Guide - (Website)

  4. sushant747’s - Windows PrivEsc Guide - (Website)

Enumeration - Windows LPE

  1. PowerUp - (External)

    • Powershell module for checking on PrivEsc.

  2. Seatbelt - (External)

  3. SharpUp - (External)

    • C# port of PowerUp functionality.

  4. WinPEAS - (External)

    • Enumerate a Windows host for PrivEsc.
    • Requires .NET 4.0 or higher.

  5. Windows Exploit Suggester - (External)

    • This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

  6. Windows Exploit Suggester - (External)

    • MSFconsole’s Windows exploit suggestion module.

  7. Sherlock - (Build-in)

    • PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Expoits & Attacks - Windows LPE

  1. Hot Potato - (External)

    • Compatible with Windows 7, 8, 10, Server 2008, Server 2012.
    • Local Privilege Escalation (LPE) abusing NBNS spoofing, NTLM relay, and WPAD proxy server.

  2. Juicy Potato - (External)

    • “A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM”.

  3. LOLBAS - (Website)

    • Curated list of binaries and scripts which assist in Windows LPE.

  4. PrintNightmare - (External)

    • Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare).

  5. PrintSpoofer - (External)

    • Abusing impersonation privileges through the “Printer Bug”.
    • Server 2019 and Windows 10.

  6. Rotten Potato - (External)

    • “RottenPotato local privilege escalation from service account to SYSTEM”.
    • Authenticating attacker by tricking DCOM/RPC into using NTLM.

  7. Windows Kernel Exploits - (External)

    • Curated list of Windows kernel exploits.
Updated on 02-14-2024 
Post-ExploitationToolsPivotingProxiesEnumerationResourcesExploitationLateral MovementVertical MovementPersistenceCollectionExfiltrationScanningActive DirectoryPrivilege Escalation
Back | Home
0%