More cheatsheets

linux/apache2.md

@@ -80,6 +80,19 @@ ServerTokens Prod
 apt-get install apache2 php libapache2-mod-php
 ```
 
+### Disable CORS
+```
+a2enmod headers
+
+vim  /etc/apache2/apache2.conf
+
+<IfModule mod_headers.c>
+    Header set Access-Control-Allow-Origin "*"
+    Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
+    Header set Access-Control-Allow-Headers "Content-Type"
+</IfModule>
+```
+
 ### Load Balancer
 ```
 a2ensite forward_proxy.conf

linux/impacket-smbclient.md

@@ -11,6 +11,11 @@ impacket-smbclient <domain>/<user>:<password>@<rhost>
 impacket-smbclient -hashes :<ntlmHash> <domain>/<user>@<rhost> -file <commandFile>.txt
 ```
 
+### Connect using null session
+```
+impacket-smbclient <rhost>
+```
+
 ### Opsec considerations - Windows Security Log Event IDs
 ```
 -Logon (4624) -> multiple

linux/mysqldump.md

@@ -0,0 +1,14 @@
+### Export MySQL or MariaDB database
+```
+mysqldump -u <user> -p <databaseName> > <resultFile>.sql
+```
+
+### Import database
+```
+mysql -u <user> -p
+
+mysql> CREATE DATABASE newDatabase;
+
+mysql -u <user> -p newDatabase < <resultFile>.sql
+```
+

linux/smbclient.md

@@ -3,6 +3,11 @@
 smbclient --option='client min protocol=nt1' -L "\\<rhost>\\<share>" -U <user> --option='client lanman auth = yes' --option='client ntlmv2 auth = no' --option='ntlm auth = no'
 ```
 
+### Using null session 
+```
+smbclient -N -L \\<rhost>
+```
+
 ### Opsec considerations - Windows Security Log Event IDs
 ```
 -Logon (4624) -> multiple

other/ssh-share.md

@@ -0,0 +1,20 @@
+### Start ssh file transfer (linux)
+```
+sshfs <user>@<rhost>:/<pathToShare> <pathToLocalDirectory>
+```
+
+### Unmount share
+```
+fusermount -u <pathToLocalDirectory>
+```
+
+### Start ssh file transfer (windows)
+```
+net use X: \\sshfs\<user>@<rhost>
+```
+
+### Unmount share
+```
+net del X:
+```
+

snippet/py/flaskRedirect.py

@@ -0,0 +1,9 @@
+from flask import Flask, redirect
+
+app = Flask(__name__)
+
+@app.before_request
+def redirect_all():
+    # redirect to a different website
+    return redirect("https://domain.com", code=302)
+

snippet/sh/saveMultipleStdoutToVariable.sh

@@ -0,0 +1,9 @@
+allNumbers=""
+
+for i in {1..5}
+do
+    allNumbers+="${i}\n"
+done
+
+echo -e "${allNumbers}"
+

url/git-tools

@@ -115,6 +115,9 @@ https://github.com/AdrianVollmer/PowerSploit
 https://github.com/Aetsu/OffensivePipeline
 OffensivePipeline allows to download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises.
 
+https://github.com/AirbusProtect/AD-Canaries
+The purpose of this project is to publish and maintain the deployment PowerShell script that automates deployments for Active Directory Canary objects.
+
 https://github.com/Alb-310/Geogramint
 An OSINT Geolocalization tool for Telegram that find nearby users and groups
 
@@ -154,6 +157,9 @@ Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC,
 https://github.com/AzeemIdrisi/PhoneSploit-Pro
 An all-in-one hacking tool to remotely exploit Android devices using ADB and Metasploit-Framework to get a Meterpreter session.
 
+https://github.com/Azure/PyRIT
+The Python Risk Identification Tool for generative AI (PyRIT) is an open source framework built to empower security professionals and engineers to proactively identify risks in generative AI systems.
+
 https://github.com/Azure/Stormspotter
 Azure Red Team tool for graphing Azure and Azure Active Directory objects
 
@@ -526,6 +532,9 @@ CVE-2021-34527 is a critical remote code execution and local privilege escalatio
 https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell
 Fully functioning reverse shell written entirely in VBA.
 
+https://github.com/JumpsecLabs/TokenSmith
+TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetration tests with the tokens generated working out of the box with many popular Azure post exploitation tools.
+
 https://github.com/K3YOMI/Wall-of-Flippers
 Wall of Flippers is designed to find Flipper Zero devices using BLE (Bluetooth Low Energy)
 
@@ -535,6 +544,12 @@ https://github.com/Kevin-Robertson/Inveigh
 https://github.com/Kevin-Robertson/Invoke-TheHash
 PowerShell Pass The Hash Utils
 
+https://github.com/Krypteria/Proxll
+Tool designed to simplify the generation of proxy DLLs while addressing common conflicts related to windows.h
+
+https://github.com/Kudaes/ADPT
+DLL proxying for lazy people
+
 https://github.com/Kudaes/Eclipse
 Activation Context Hijack
 
@@ -562,6 +577,9 @@ SuperSharpShares is a tool designed to automate enumerating domain shares, allow
 https://github.com/Leo4j/Amnesiac
 Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments
 
+https://github.com/Leo4j/Invoke-SMBRemoting
+Interactive Shell and Command Execution over Named-Pipes (SMB) for Fileless lateral movement
+
 https://github.com/Leo4j/Invoke-SessionHunter
 Retrieve and display information about active user sessions on remote computers. No admin privileges required.
 
@@ -598,6 +616,9 @@ This PoC creates multiple processes, where each process performs a specific task
 https://github.com/Maldev-Academy/EntropyReducer
 Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists
 
+https://github.com/Maldev-Academy/ExecutePeFromPngViaLNK
+Extract and execute a PE embedded within a PNG file using an LNK file. The PE file is encrypted using a single-key XOR algorithm and then injected as an IDAT section to the end of a specified PNG file.
+
 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
 Maldev Academy's October update saw several interesting modules being released to our users. One of them was our DLL loader that was successfully tested against several EDRs including MDE and Crowdstrike.
 
@@ -625,6 +646,9 @@ A C# utility for interacting with SCCM
 https://github.com/Meckazin/ChromeKatz
 Dump cookies directly from Chrome process memory
 
+https://github.com/MegaManSec/LDAP-Monitoring-Watchdog
+LDAP Watchdog: A real-time linux-compatible LDAP monitoring tool for detecting directory changes, providing visibility into additions, modifications, and deletions for administrators and security researchers.
+
 https://github.com/MegaManSec/SSH-Snake
 SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
 
@@ -973,6 +997,9 @@ A small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache f
 https://github.com/SpecterOps/BloodHound
 Six Degrees of Domain Admin
 
+https://github.com/SpecterOps/cred1py
+A Python POC for CRED1 over SOCKS5
+
 https://github.com/SpiderLabs/Responder
 Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
 
@@ -1270,9 +1297,6 @@ netshell features all in version 2 powershell
 https://github.com/bettercap/bettercap
 The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.
 
-https://github.com/beurtschipper/Depix
-Recovers passwords from pixelized screenshots
-
 https://github.com/biffalo/handy-posh
 Get scheduled tasks in task root and prints name and action of each
 
@@ -1390,6 +1414,9 @@ A light-weight first-stage C2 implant written in Nim.
 https://github.com/chvancooten/maldev-for-dummies
 A workshop about Malware Development
 
+https://github.com/citronneur/pamspy
+Credentials Dumper for Linux using eBPF
+
 https://github.com/cjm00n/EvilSln
 A New Exploitation Technique for Visual Studio Projects
 
@@ -1759,6 +1786,9 @@ In this repository you can find all RegRipper plugins that I have created. We en
 https://github.com/garrettfoster13/sccmhunter
 SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.
 
+https://github.com/gatariee/gocheck
+Because AV evasion should be easy.
+
 https://github.com/gchq/CyberChef
 The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
 
@@ -1882,6 +1912,9 @@ A tool to dump the login password from the current linux user
 https://github.com/hustvl/Matte-Anything
 Matte Anything: Interactive Natural Image Matting with Segment Anything Models
 
+https://github.com/hvs-consulting/nfs-security-tooling
+This script prints details about an NFS server and detects some potential misconfigurations which are highlighted in red.
+
 https://github.com/hyc/fcrackzip
 A braindead program for cracking encrypted ZIP archives. Forked from http://oldhome.schmorp.de/marc/fcrackzip.html
 
@@ -1969,6 +2002,9 @@ A powerful obfuscator for JavaScript and Node.js
 https://github.com/jazzpizazz/BloodHound.py-Kerberos
 A Python based ingestor for BloodHound
 
+https://github.com/jborean93/AmsiProvider
+Test AMSI Provider implementation in C#
+
 https://github.com/jborean93/PSEtw
 PowerShell ETW consumer module
 
@@ -2395,6 +2431,9 @@ SSH User Enumeration Script in Python Using The Timing Attack
 https://github.com/neodyme-labs/github-secrets
 This tool analyzes a given Github repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
 
+https://github.com/netero1010/ClipboardHistoryThief
+POC tool to extract all persistent clipboard history data from clipboard service process memory
+
 https://github.com/netero1010/EDRSilencer
 A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
 
@@ -2665,6 +2704,9 @@ dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the bl
 https://github.com/punk-security/pwnspoof
 pwnSpoof (from Punk Security) generates realistic spoofed log files for common web servers with customisable attack scenarios.
 
+https://github.com/purs3lab/Argus
+This repo contains the code for our USENIX Security '23 paper "ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions". Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD workflows, Argus utilizes taint-tracking techniques and an impact classifier to detect potential vulnerabilities in GitHub Action workflows.
+
 https://github.com/pushsecurity/saas-attacks
 Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.
 
@@ -2833,6 +2875,9 @@ Spartacus DLL Hijacking Discovery Tool
 https://github.com/safebreach-labs/CloudMiner
 Execute code using Azure Automation service without getting charged
 
+https://github.com/safedv/RustPotato
+A Rust implementation of GodPotato — abusing SeImpersonate to gain SYSTEM privileges. Includes a TCP-based reverse shell and indirect NTAPI for various operations.
+
 https://github.com/safedv/Rustic64Shell
 64-bit, position-independent reverse tcp shell, built in Rust for Windows.
 
@@ -2932,6 +2977,9 @@ A reconnaissance framework for researching and investigating Telegram.
 https://github.com/soufianetahiri/CitrixSecureAccessAuthCookieDump
 Dump Citrix Secure Access auth cookie from the process memory
 
+https://github.com/spipm/Depixelization_poc
+Depix is a PoC for a technique to recover plaintext from pixelized screenshots.
+
 https://github.com/sqlmapproject/sqlmap
 Automatic SQL injection and database takeover tool
 

url/osint.md

@@ -26,6 +26,7 @@
 * https://dnslytics.com ; #osint #reverse-ip #nameserver #google-adsense #google-analytics #rootdomain
 * https://epieos.com ; #osint #email #phone #user-profile
 * https://facecheck.id ; #osint #image-search #facial-recognition
+* https://faceonlive.com/face-search-online ; #osint #image-search #facial-recognition
 * https://fullhunt.io ; #osint #portscan #subdomain #country
 * https://geospy.ai ; #osint #geolocation #image
 * https://gps-coordinates.org/latitude-and-longitude.php ; #osint #geolocation #longitude #latitude

url/services.md

@@ -55,6 +55,7 @@
 * https://lots-project.com ; #living-off-the-trusted-sites #phishing
 * https://lottunnels.github.io ; #living-off-the-tunnels #pivot #socks #socket
 * https://malpedia.caad.fkie.fraunhofer.de
+* https://mha.azurewebsites.net/pages/mha.html ; #email #header-analyze #phishing
 * https://msportals.io
 * https://myip.wtf/json
 * https://nthashes.com

url/tagged-urls.md

@@ -78,6 +78,7 @@
 * https://blog.bushidotoken.net/2023/07/investigating-sms-phishing-text.html ; #threat-intelligence #sms #phishing
 * https://blog.bushidotoken.net/2023/08/hacktivists-liars-and-morons.html ; #threat-intelligence #hacktivist #ftp
 * https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html ; #akira #conti #ransomware #threat-intelligence
+* https://blog.bwlryq.net/posts/icmp_exfiltration ; #icmp #data-exfiltration #pcap
 * https://blog.calif.io/p/privilege-escalation-in-eks ; #cloud #aws #kuberneted #elastic #privesc #privilege-escalation
 * https://blog.calif.io/p/redash-saml-authentication-bypass ; #webapp #saml #authentication-bypass #cve
 * https://blog.christophetd.fr/dll-unlinking ; #windows #dll #injection #evasion #unlinking
@@ -90,6 +91,7 @@
 * https://blog.cyber5w.com/introducing-windows-registry ; #windows #registry
 * https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages ; #threat-intelligence #python #pypi #supply-chain
 * https://blog.cyble.com/2023/06/13/threat-actor-targets-russian-gaming-community-with-wannacry-imitator ; #threat-intelligence #malware-analyse #gaming #ransomware #wannacry
+* https://blog.deeb.ch/posts/how-edr-works ; #edr #evasion #bypass #shellcode #signature #event-tracing-for-windows #etw #hooks #memory #kernel
 * https://blog.delivr.to/svg-smuggling-a-picture-worth-a-thousand-words-fae8a946a300?gi=e2ee37ee9c09 ; #threat-intelligence #malware-analyse #svg-smuggling
 * https://blog.deteact.com/gunicorn-http-request-smuggling ; #web #http-request-smuggling
 * https://blog.didierstevens.com/2023/01/22/analyzing-malicious-onenote-documents ; #threat-intelligence #malware-analyse #onenote
@@ -295,6 +297,7 @@
 * https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d ; #threat-intelligence #malware #facebook #phishing #batch
 * https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware ; #ms-teams #phishing #http-post #instant-messenger
 * https://labs.jumpsec.com/ssh-tunnelling-to-punch-through-corporate-firewalls-updated-take-on-one-of-the-oldest-lolbins ; #windows #ssh #pivoting #proxy #firewall #port-forwarding
+* https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access ; #entra #cap #conditional-access-policies #client-id
 * https://labs.jumpsec.com/weaponize-your-word-malicious-template-injection ; #windows #word #template-injection #docx #settings-xml-rels #docm
 * https://labs.lares.com/adcs-exploits-investigations-pt1 ; #active-directory #certificate-service #adcs #detection #event-id
 * https://labs.lares.com/adcs-exploits-investigations-pt2 ; #active-directory #certificate-service #adcs #detection #esc1 #esc3 #esc4 esc6
@@ -419,6 +422,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c ; #active-directory #certificate-service #adcs #esc5 #ldap
 * https://posts.specterops.io/get-your-socks-on-with-gtunnel-4a70a9b82b24 ; #pivoting #socks #gtunnel #proxy
 * https://posts.specterops.io/introducing-bloodhound-4-2-the-azure-refactor-1cff734938bd ; #cloud #azure #entra #azure #entrahound
+* https://posts.specterops.io/intune-attack-paths-part-1-4ad1882c1811 ; #azure #entra #intunes #on-prem #active-directory
 * https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 ; #active-directory #windows #dcom #excel #lateral-movement #clsid
 * https://posts.specterops.io/lateral-movement-without-lateral-movement-brought-to-you-by-configmgr-9b79b04634c7 ; #sccm #system-centre-configuration-manager #windows #lateral-movement #active-directory
 * https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5?gi=bf1d6922691f ; #phishing #smartscreen #clickonce
@@ -620,6 +624,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process ; #shellcode #process-injection #cheatsheets
 * https://www.elastic.co/security-labs/dismantling-smart-app-control ; #windows #initial-access #lnk-stomping #smart-screen-bypass
 * https://www.elastic.co/security-labs/grimresource ; #initial-access #msc #javascript #windows #mmc #dotNetToJScript
+* https://www.enyei.com/ie-dcom-to-lfi ; #windows #dcom #lateral-movement #edge #local-file-read
 * https://www.errno.fr/TTYPushback.html ; #linux #privesc #privilege-escalation #tty-pushback
 * https://www.example-code.com/vbscript/http.asp ; #vbscript #cheatsheets
 * https://www.fo-sec.com/articles/10-defender-bypass-methods ; #windows-defender #av #anti-virus #evasion #bypass #etw #amsi #obfuscation

windows/start-process.md → windows/process.md

@@ -13,3 +13,8 @@ $scp = ConvertTo-SecureString '<password>' -AsPlainText -Force; $cred = New-Obje
 Start-Process -wi 1 -FilePath "powershell" -ArgumentList " -c ssh -o 'StrictHostKeyChecking=no' -i $HOME\.ssh\<privateKey> -N -R 9050 <user>@<rhost>"
 ```
 
+### Stop process by name
+```
+Stop-Process -Name "<name>"
+```
+

windows/procmon.md

@@ -0,0 +1,9 @@
+### Source
+* https://live.sysinternals.com/Procmon.exe
+* https://live.sysinternals.com/Procmon64.exe
+
+### Track file and registry changes
+```
+.\procmon.exe
+```
+

windows/spartacus.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/sadreck/Spartacus
+
+### Discover COM hijackable DLLs
+```
+.\Spartacus.exe --mode com --procmon <pathToProcmon> --pml <pathToProcmonLogs> --csv <pathToDllsLogs> --verbose
+```
+

windows/sqlcmd.md

@@ -0,0 +1,23 @@
+### Install
+* https://www.microsoft.com/en-us/download/details.aspx?id=53339
+* https://www.microsoft.com/en-us/download/details.aspx?id=53591
+
+### Import database
+```
+sqlcmd -S (localdb)\Local -i <path>\<file>.bak -x -e
+```
+
+### Connect and list databases, tables and content
+```
+sqlcmd -S (localdb)\Local
+
+select DB_NAME()
+go
+
+select TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
+go
+
+select * FROM <table>
+go
+```
+