Skip to content

Commit

Permalink
Initial commit.
Browse files Browse the repository at this point in the history
  • Loading branch information
@Tib3rius
Tib3rius committed Nov 19, 2019
0 parents commit 53895b1
Show file tree
Hide file tree
Showing 60 changed files with 24,382 additions and 0 deletions.
19 changes: 19 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Minimal makefile for Sphinx documentation
#

# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
SOURCEDIR = .
BUILDDIR = _build

# Put it first so that "make" without argument is like "make help".
help:
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

.PHONY: help Makefile

# Catch-all target: route all unknown targets to Sphinx using the new
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
%: Makefile
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
71 changes: 71 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# Penetration Testing Guide

## Getting Started

Install sphinx and the "Read The Docs" theme:

```bash
$ pip install sphinx sphinx_rtd_theme
```

## Contributing

I've tried to stick to a layout throughout (early on I did not, if you see pages that don't match the style I'm about to describe, feel free to fix them).

**Section Headings**

The page title should be at the top of the page and use the following syntax. Note that the #'s must appear above and below the title, and must span the width of the title.

```
##########
Page Title
##########
```

Sections, subsections, etc use a similar syntax, but do not require an overline:

```
Section
=======
Subsection
----------
Subsubsection
^^^^^^^^^^^^^
```

If anything lower than the subsubsection is required, it is suggested that bold text is used.

**Code Examples**

Code blocks can be placed like so:

```
.. code-block:: bash
code goes here
```

If possible, avoid showing prompt characters (e.g. $, #, or C:\>) unless necessary for the example.

For inline code, use:

```
:code:`inline code goes here`
```

**Additional Markup**

There is a very useful basic guide to Sphinx/reStructuredText here: http://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html

**Compiling**

How to compile after making alterations:

```bash
$ pip install sphinx sphinx_rtd_theme
$ make clean && make html
```

The compiled html will be in the _build directory.
12 changes: 12 additions & 0 deletions _static/css/custom.css
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
div.document {width:auto !important}
div.body {max-width:none !important}
div.body p {font-size:0.9em !important}

pre {white-space:pre-wrap !important;white-space:-moz-pre-wrap !important;white-space:-pre-wrap !important;white-space:-o-pre-wrap !important;word-wrap:break-word !important;line-height:1.5em !important}
li.toctree-l1 > a {font-size:0.9em !important}
p.caption > span.caption-text {font-weight:bold !important}
div.highlight > pre {font-size:0.8em !important}
.wy-nav-content {max-width:none !important}
.rst-content table.docutils td {vertical-align:top !important;overflow-wrap:break-word !important;word-wrap:break-word !important;word-break:break-word !important;hyphens:auto !important;white-space:normal !important;}
.wy-table-responsive {overflow:unset !important}
.wy-table-responsive table {table-layout:fixed !important;max-width:100% !important;}
260 changes: 260 additions & 0 deletions _static/files/Powerless.bat
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
@echo off
set userprofile=%cd%
mode con:cols=160 lines=9999
Cd c:\

echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
:: https://github.com/GDSSecurity/Windows-Exploit-Suggester
systeminfo
echo.

echo ----- Architecture -------
SET Processor
echo.

echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
:: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder.
echo Current User: %username%
whoami /all
echo --- All users, accounts and groups ---
net users
net accounts
net localgroup

echo ------- Administrators --------
net localgroup administrators

echo ------- Environment Variables -------
set
echo.

echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)--------
for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul
echo.

echo ---------------------------------------- Search for Quick Wins --------------------------------------
echo -------- Listing contents of user directories ---------
:: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script).
dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\"
echo.

echo -------- Exploring program directories and C:\ ---------
:: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds.
echo --- Program Files ---
dir "C:\Program Files" /b
echo --- Program Files (x86) ---
dir "C:\Program Files (x86)" /b
echo --- Root of C:\ ----
dir "C:\" /b
echo.

echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) ---
:: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless.
dir /a /b C:\inetpub\

echo --- Broad search for Apache or Xampp ---
dir /s /b apache* xampp*
echo.

echo ---Search for Configuration and sensitive files---
echo -- Broad search for config files --
:: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to.
dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config
echo -- Application Host File --
type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul
echo -- Broad search for unattend or sysprep files --
dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml*
echo -- Stored Passwords --
:: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9")
cmdkey /list
echo.

echo -- Checking for any accessible SAM or SYSTEM files --
dir %SYSTEMROOT%\repair\SAM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
dir %SYSTEMROOT%\System32\config\SAM 2>nul
dir %SYSTEMROOT%\repair\system 2>nul
dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
dir /a /b /s SAM.b*
echo.

echo -- Broad search for vnc kdbx or rdp files --
dir /a /s /b *.kdbx *vnc.ini *.rdp
echo.

echo --- Searching Registry for Passwords ---
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query HKLM /f password /t REG_SZ /s /k
reg query HKCU /f password /t REG_SZ /s /k
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
echo.

echo --- AlwaysInstallElevated Check ---
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
echo.

echo --- Program Files and User Directories where everybody (or users) have full or modify permissions ---
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
icacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
echo.
echo ... performing same checks but using cacls instead of icacls (for older versions of Windows)...
cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone"
cacls "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone"
cacls "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
cacls "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
cacls "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users"
echo.

echo ---Domain joined? If so check domain controller for GPP files ----
set user
echo.

cd %userprofile%
echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) ---
REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
sc query state= all > scoutput.txt
findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt
FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt
FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt
find /v """" path.txt > unquotedpaths.txt
sort unquotedpaths.txt|findstr /i /v C:\WINDOWS
del /f Servicenames.txt
del /f services.txt
del /f path.txt
del /f scoutput.txt
del /f unquotedpaths.txt
echo.

echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------
reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f

echo --- Accesschk World writeable folders and files ----
accesschk.exe -uwdqs "Users" c:\ /accepteula
accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula
accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
echo.
echo --- Accesschk services with weak permissions ---
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
echo.
echo --- Accesschk services that we can change registry values for (such as ImagePath) ---
accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula
accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula
echo.
echo ---------------------------------------- End Search for Quick Wins --------------------------------------

cd c:\
echo ------- Powershell existence/version check -------
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion

echo ------- Network shares -------
net share

echo ------- Programs that run at startup ------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
wmic startup get caption,command

echo -------- Path (is dll hijacking possible?) ------
echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])...
echo %path%
echo.
:: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script
:: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1
:: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)"
:: Or let the script do all the work for you
:: powershell.exe -executionpolicy bypass -file folderperm.ps1

echo ------- Scheduled Tasks Names Only -------
:: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it).
schtasks /query /fo LIST 2>nul | findstr "TaskName"
echo.

echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) -------
schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:"
echo.

echo ------- Services Currently Running (check for Windows Defender or Anti-virus) ---------
net start
echo.

echo ------- Link Running Processes to started services --------
tasklist /SVC
echo.

echo ------- Processes verbose output (who is running what?) --------
:: Pay close attention to this list. Especially for those tasks run by a user other than your own.
tasklist /v
echo.

echo ------- Patches (also listed as part of systeminfo) -------
:: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic
:: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback.
wmic qfe get Caption,Description,HotFixID,InstalledOn

echo ------- Firewall ------
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall dump

echo ------ Network information ------
ipconfig /all

:: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc.
REM route print
REM arp -A
echo.

echo ------- Current connections and listening ports -------
:: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding?
netstat -ano
echo.
echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------
echo.

echo --- Broad search for any possible config files which may contain passwords ---
:: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db).
dir /s /b *pass* *cred* *vnc* *.config*
echo.

echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --"
start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul
echo.

Loading

0 comments on commit 53895b1

Please sign in to comment.