Universal tools and resources

Wordlists

• rockyou.txt

• Sub-domains (1)

• Sub-domains (2)

• Directories (1)

• Directories (2) used by Feroxbuster

• SNMP community strings

Useful websites

• Reverse shell generator

• Hashcat hash examples

• Crackstation

• WasmFiddle - C to Web Assembly

Browser extensions

• Requestly

• FoxyProxy

Binaries

• Statically compiled binaries

• SharpCollection - Pre-compiled binaries (windows)

Docker

• Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)

Tunneling and Listeners

Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server.

############################# [SERVER] #############################
chisel server --port <port> --reverse

############################# [CLIENTS] #############################

# BASIC client
chisel client <server_ip_and_port> R:<listener_port>:<ip>:<forwarded_port>

# SOCKS PROXY
## Note that socks proxy will start a listener on port 1080
chisel client <server_ip_and_port> R:socks

Interaction

One can use FoxyProxy for the browser or proxychains on the command line to interact with the network.

authbind

authbind allows a program which does not or should not run as root to bind to low-numbered ports in a controlled way.

# Netcat
authbind nc -lvnp <port>

# Python
authbind python -m http.server

Active Directory

BloodHound

BloodHound is used to visualise AD environments and discover attack paths.

• Documentation

Ingestors

SharpHound

Data collector for BloodHound

• Documentation

• Releases

bloodhound.py

Python based data collection tool for BloodHound This will run against the domain, so can one run it from a remote machine.

bloodhound-python -u <username> -p <password> -d <domain> -c All -ns <nameserver>                

• Documentation

sssd

sssd is an open source client for enterprise identity management. It allows for Linux machines to be joined into an Active Directory domain.

SSSD maintains a copy of the database at the path /var/lib/sss/secrets/secrets.ldb. The corresponding key is stored as a hidden file at the path /var/lib/sss/secrets/.secrets.mkey. By default, the key is only readable if you have root permissions.

Knowing this information one can take a look at those file (if they're present) and extract data from them. If data cannot be found in those files, one might try to go back one folder to /var/lib/sss where they might find some other files which can potentially reveal some info.

More info

Miscellaneous

• Evil-WinRM

• PowerView

• All Impacket scripts

• Powermad

• Rubeus Docs

• Rubeus Release

• SharpCollection - Pre-compiled binaries (windows)

• mimikatz

• VNC Password Decryptor

• VNCDecrypt

• Mimikatz in python

• mRemoteNG Decryptor

Reverse Engineering

Radare2 (R2)

r2 is a complete rewrite of radare. It provides a set of libraries, tools and plugins to ease reverse engineering tasks.

• Introduction

• Manual

Ghidra

Open-source reverse engineering software developed by NSA

• Ghidra GitHub

• Ghidra CheatSheet

GDB

GNU Debugger

peda

GitHub Python Exploit Development Assistance for GDB

Basic buffer overflow

Walkthrough and help

dnSpy

https://github.com/dnSpy/dnSpy Used for disassembling .NET code

Alternatives

These alternatives are for Linux, since dnSpy is for Windows only

• IlSpy

• CodemerxDecompile

Python executables

Python files can be packed and unpacked to and from a binary.

Use the extractor to unpack the binary, then use uncompyle6 to decompile .pyc files received from the unpacking process.

Click this for better explanation and examples.

Miscallenous

• upx for packing and unpacking binaries.

• Angr / Claripy - Abstracted constraint-solving wrapper

  • Can be used to brute-force CTF flags in a binary.