Useful Commands
Extract domain users from winscanx dcenum
extract domain users from enum4linux dcenum
Extract domain users from 'net user'
On the windows DC/DS, cmd.exe:
Using bash:
Add a local user and add to administrators group
Compile c scripts
If the machine does not have GCC installed, it can be compiled on the attacker machine, taking note of the system architecture first, using the following syntax:
For x64 bit:
For x32 bit:
Find text between 2 strings
Extract email address from file
find users with specific weak passwords from pipal
Add new entries to password leak (combs) for h8mail
This will take a file with the content format of email:password and then put it inside of the COMBS password leak into the relevant folder structure format.
Linux:
Windows:
Searching shares for passwords
To find FILES with "password" in the file name, use the
find
command:
This will search for FOLDERS
This command will search the /tmp/shared/
directory and all of its subdirectories for files (-type f
) with "password" in the name. The -iname
option makes the search case-insensitive.
To find files that contain "password" in their contents, use
find
in combination withgrep
:This command searches all files in the
/tmp/shared/
directory and its su
You can ignore/suppress the 'binary file matches' lines by adding -I to the grep. such as:
To read the contents of the binary though, you can simply use 'strings'
Mount the share
Create a Mount Point: Decide where you want to mount the share and create a directory for it. For example:
Mount the Share: Use the
mount
command to mount the share. You'll need to know the username and password for the share. ReplaceUSERNAME
andPASSWORD
with your credentials:If you need to specify a domain, you can add the
domain
option:Unmounting: When you're done, you can unmount the share using:
Find what groups a user is a member of
It will look like this
winscanx
enum4linux
For loop
Responder - found users unique
Query LDAP about a user
Search for exploits from CVEs
If you export 'vulns' from msfconsole (if you have imported things such as Nessus):
You can then extract all the CVEs that are identified using the following command:
You can go 1 step further and automate Searchsploit to try find exploits relating to those CVEs using my script here: https://raw.githubusercontent.com/leonteale/pentestpackage/master/Utilities/CVE-exploit-finder.sh
This is what a found exploit will look like (you'll recognise it from Searchsploit)
or no findings will look like this:
Change metasploit's search
Last updated