Initial Commit

Converted old Joplin Pentest Template to Obsidian

Author: tjnull

Obsidian Pentest Template 1.0/General Information.md

@@ -0,0 +1,82 @@
+Created by TJ Null:
+
+Twitter: https://twitter.com/TJ_Null
+GitHub: https://github.com/tjnull
+
+Contribution: 
+
+If you would like to contribute to the template or provide suggestions, then you can submit an issue on the GitHub Repo here:
+- https://github.com/tjnull/TJ-OPT
+
+## Changelog:
+
+## Changelog for Obsidian
+
+v1.0  Dusting off the books
+
+- Refactored and cleaned up noting structure to align with how Obsidian displays raw markdown. 
+- Separated the Pivoting-Tunneling section to show a set of commands to use for either Windows or Linux.
+- Added a new section to enumerate email services. 
+- Included two scripts (Python & Golang) to with instructions on how you can send a mass email for phishing campaigns.
+- New section for using Rustscan
+- New section for using SQLMap
+- New section for enumerating websites with Feroxbuster
+- New section on enumerating and exploiting AD CS certificates
+- Updated Bypassing AV section with new tools
+- Updated BloodHound section to include the new version of BloodHound Community
+- Updated Mimikatz section
+- New Section on Decrypting VNC Passwords
+- Replaced all crackmapexec commands with NetExec due to change in contribution of the project. 
+## Changelog for Joplin
+
+v1.0: Original Template
+
+v2.0 The first chapter
+
+2. Enumeration 
+- Added an FTP Notebook to include notes for that identified service
+- Added more content in Active Directory
+- Web has a subnotebook to include any content from the changelog.txt file
+- Fixed the gobuster oneliners to match with the recent changes from the tool
+
+3. Exploitation
+- Added some custom options for searchsploit
+
+4. Post Exploitation
+- Moved the subnotebook into a subnotebook (Target #1) so the user can copy the subnotebook and add another one under post exploitation for other targets. 
+- Created a sub notebook to include the output from automated priv esc scripts that are used.
+- Included tools, tips, and resources in all sections for priv esc
+
+v3.0 Major Refactoring Overhaul
+- Added sub notebooks (Recon Targets, Enumeration Targets, Exploitation Targets, Post Exploitation Targets). Makes it easier to organize all of the notes you have for assessing the targets instead of having them cluttered in your other notes.
+- Broke down the recon notes to include a discovery and a host scan sub notebooks
+- Moved Pivot/Tunneling into the Recon Notes Section. [Pivoting/Tunneling](../Pentest%20Template%20Master%203.0/1.%20Recon%20Notes/Pivoting_Tunneling.md)
+- Moved Reporting into High Value Information/Reporting SubNotebook 
+- New section for impacket ntlmrelayx [Impacket NtlmRelayX](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Impacket%20NtlmRelayX.md)
+- New section for pretender [Pretender](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Pretender.md)
+- New section or clean up with responder [Responder](../Pentest%20Template%20Master%203.0/3.%20Enumeration%20Notes/Responder.md)
+- New section including how to use villian [Villian Cheatsheet](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/Villian%20Cheatsheet.md)
+- New section for editable services [General Notes](../Pentest%20Template%20Master%203.0/7.%20Post%20Exploitation/Editable%20Services/General%20Notes.md)
+- Added a new PWK V2/V3 OSCP Report Template [OSCP Report Template V2](../Pentest%20Template%20Master%203.0/9.%20High%20Value%20Information_Reporting/Reporting/OSCP%20Report%20Template%20V2.md)
+- Added a PowerShell ISO oneliner if you want to launch your payloads through an ISO [General Notes](../Pentest%20Template%20Master%203.0/5.%20Exploitation%20Notes/General%20Notes.md)
+
+
+Shoutout to TheGetch (https://github.com/TheGetch) for sharing some of his notes and giving me some inspiration to the hierarchy he has. 
+
+If you want to see his current methodology you can find it here: https://github.com/TheGetch/Penetration-Testing-Methodology
+
+v4.0  Dusting off the books
+
+- Refactored and cleaned up noting structure to align with how Obsidian displays raw markdown. 
+- Separated the Pivoting-Tunneling section to show a set of commands to use for either Windows or Linux.
+- Added a new section to enumerate email services. 
+- Included two scripts (Python & Golang) to with instructions on how you can send a mass email for phishing campaigns.
+- New section for using Rustscan
+- New section for using SQLMap
+- New section for enumerating websites with Feroxbuster
+- New section on enumerating and exploiting AD CS certificates
+- Updated Bypassing AV section with new tools
+- Updated BloodHound section to include the new version of BloodHound Community
+- Updated Mimikatz section
+- New Section on Decrypting VNC Passwords
+- Replaced all crackmapexec commands with NetExec due to change in contribution of the project. 

Obsidian Pentest Template 1.0/Obsidian Pentest Template 1.0/1. Recon Notes/Discovery Scans/DNS Hostname Discovery.md

@@ -0,0 +1,69 @@
+#recon
+# DNS Discovery
+
+DNSRecon: 
+
+- dnsrecon -d www.example.com -a 
+- dnsrecon -d www.example.com -t axfr
+- dnsrecon -d "startIP-endIP"
+- dnsrecon -d www.example.com -D "namelist" -t brt
+
+Dig: 
+
+- dig www.example.com + short
+- dig www.example.com MX
+- dig www.example.com NS
+- dig www.example.com> SOA
+- dig www.example.com ANY +noall +answer
+- dig -x www.example.com
+- dig -4 www.example.com (For IPv4)
+- dig -6 www.example.com (For IPv6)
+- dig www.example.com mx +noall +answer example.com ns +noall +answer
+- dig -t AXFR www.example.com
+
+Dnsenum Enumeration:
+
+- dnsenum --dnsserver 172.21.0.0 -enum intranet.megacorpone.xx
+- dnsenum --dnsserver 172.21.0.0 -enum management.megacorpone.xx
+- dnsenum --dnsserver 172.21.0.0 -enum www.megacorpone.xx
+
+dnsX Enumeration: 
+- dnsx -l domains.txt -resp -a -aaaa -cname -mx -ns -soa -txt
+- dnsx -silent -d megacorpone.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
+
+Using with subfinder: 
+- subfinder -silent -d megacorpone.com | dnsx -silent
+- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp
+- subfinder -silent -d megacorpone.com | dnsx -silent -a -resp-only
+- subfinder -silent -d megacorpone.com | dnsx -silent -cname -resp
+- subfinder -silent -d megacorpone.com | dnsx -silent -asn 
+
+
+Nmap Enumeration: 
+```
+$ ls -lh /usr/share/nmap/scripts/ | grep dns
+-rw-r--r-- 1 root root 1.5K Nov  1  2023 broadcast-dns-service-discovery.nse
+-rw-r--r-- 1 root root 5.3K Nov  1  2023 dns-blacklist.nse
+-rw-r--r-- 1 root root 9.9K Nov  1  2023 dns-brute.nse
+-rw-r--r-- 1 root root 6.5K Nov  1  2023 dns-cache-snoop.nse
+-rw-r--r-- 1 root root  15K Nov  1  2023 dns-check-zone.nse
+-rw-r--r-- 1 root root  15K Nov  1  2023 dns-client-subnet-scan.nse
+-rw-r--r-- 1 root root  10K Nov  1  2023 dns-fuzz.nse
+-rw-r--r-- 1 root root 3.8K Nov  1  2023 dns-ip6-arpa-scan.nse
+-rw-r--r-- 1 root root  13K Nov  1  2023 dns-nsec3-enum.nse
+-rw-r--r-- 1 root root  11K Nov  1  2023 dns-nsec-enum.nse
+-rw-r--r-- 1 root root 3.4K Nov  1  2023 dns-nsid.nse
+-rw-r--r-- 1 root root 4.3K Nov  1  2023 dns-random-srcport.nse
+-rw-r--r-- 1 root root 4.3K Nov  1  2023 dns-random-txid.nse
+-rw-r--r-- 1 root root 1.5K Nov  1  2023 dns-recursion.nse
+-rw-r--r-- 1 root root 2.2K Nov  1  2023 dns-service-discovery.nse
+-rw-r--r-- 1 root root 5.6K Nov  1  2023 dns-srv-enum.nse
+-rw-r--r-- 1 root root 5.7K Nov  1  2023 dns-update.nse
+-rw-r--r-- 1 root root 2.1K Nov  1  2023 dns-zeustracker.nse
+-rw-r--r-- 1 root root  26K Nov  1  2023 dns-zone-transfer.nse
+-rw-r--r-- 1 root root 3.9K Nov  1  2023 fcrdns.nse
+```
+-nmap x.x.x.x -v -p 53 --script=exampleScript1.nse,exampleScript2.nse
+
+
+

Obsidian Pentest Template 1.0/Obsidian Pentest Template 1.0/1. Recon Notes/Discovery Scans/Domain Sub Domain Discovery.md

@@ -0,0 +1,18 @@
+#recon
+# Domain Discovery
+
+Sublis3r:
+
+- Sublist3r -d www.example.com
+- Sublist3r -v -d www.example.com -p 80,443
+
+Subfinder: 
+- subfinder -d megacorpone.com
+
+OWASP AMASS: 
+
+- amass enum -d www.example.com
+- amass intel -whois -d www.example.com
+- amass intel -active 172.21.0.0-64 -p 80,443,8080,8443
+- amass intel -ipv4 -whois -d www.example.com
+- amass intel -ipv6 -whois -d www.example.com

Obsidian Pentest Template 1.0/Obsidian Pentest Template 1.0/1. Recon Notes/Discovery Scans/Network Discovery Scans.md

@@ -0,0 +1,165 @@
+#recon #scanning-enumeration
+# NetDiscover (ARP Scanning):
+- netdiscover -i eth0
+- netdiscover -r 172.21.10.0/24
+
+# Dsniff Arpspoof
+
+First enable Linux box to act as a router:
+
+`echo 1 > /proc/sys/net/ipv4/ip_forward`
+
+Then run `arpspoof`:
+
+`arpspoof -i <interface> -t <target> -r <host>`
+
+For example, to intercept traffic between targets, use:
+
+`arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16`
+
+# Nmap:
+
+- nmap -sn 172.21.10.0/24
+- nmap -sn 172.21.10.1-253
+- nmap -sn 172.21.10.*
+
+You can also grep out the IP addresses and cut out fluff:
+```
+nmap -sn 172.x.x.x/24 | grep "172" | cut -f 5 -d ' '
+```
+
+A slower, more stealthier approach that utilizes the files containing the IP address split (as seen in the first section above) would be:
+```
+nmap --randomize-hosts -sn -T2 -oN nmap_discoveryScan_x.x.x.x-16.txt -iL x.x.x.x_IP_range.split.txt
+```
+This will export the results into a text file (`-oN`). Randomized hosts is optional, depending on the customer and the testing situation. The flag, `-oA`, can be used in place of `-oX` or `-oN`, as `-oA` will output the results to all output formats. 
+
+The results for both command options shown above will be the list of hosts that responded to the ping, thus are up and alive.
+
+# Nbtscan: 
+- nbtscan -r 172.21.1.0/24
+
+# Masscan
+- masscan 172.21.10.0/24 --ping
+
+# Ping Sweeps
+
+## Linux Ping Sweep (Bash)
+
+- for i in {1..254} ;do (ping -c 1 172.21.10.$i | grep "bytes from" &) ;done
+
+## Windows Ping Sweep (Run on Windows System)
+
+- for /L %i in (1,1,255) do @ping -n 1 -w 200 172.21.10.%i > nul && echo 172.21.1.%i is up.
+
+## Powershell Ping Sweep: 
+Note: This command can also run on powershell for Linux
+
+- 1..20 | % {"172.21.10.$($_): $(Test-Connection -count 1 -comp 172.21.10.$($_) -quiet)"}
+- Get-PingSweep Subnet 172.21.10
+```
+# Reference: https://gist.github.com/joegasper/93ff8ae44fa8712747d85aa92c2b4c78
+function ResolveIp($IpAddress) {
+    try {
+        (Resolve-DnsName $IpAddress -QuickTimeout -ErrorAction SilentlyContinue).NameHost
+    } catch {
+        $null
+    }
+}
+
+function Invoke-PingSweep {
+    [CmdletBinding()]
+    Param(
+        [Parameter(Mandatory=$true)]
+        [string]$SubNet,
+        [switch]$ResolveName
+    )
+    $ips = 1..254 | ForEach-Object {"$($SubNet).$_"}
+    $ps = foreach ($ip in $ips) {
+        (New-Object Net.NetworkInformation.Ping).SendPingAsync($ip, 250)
+        #[Net.NetworkInformation.Ping]::New().SendPingAsync($ip, 250) # or if on PowerShell v5
+    }
+    [Threading.Tasks.Task]::WaitAll($ps)
+    $ps.Result | Where-Object -FilterScript {$_.Status -eq 'Success' -and $_.Address -like "$subnet*"} 
+    Select-Object Address,Status,RoundtripTime -Unique |
+    ForEach-Object {
+        if ($_.Status -eq 'Success') {
+            if (!$ResolveName) {
+                $_
+            } else {
+                $_ | Select-Object Address, @{Expression={ResolveIp($_.Address)};Label='Name'}, Status, RoundtripTime
+            }
+        }
+    }
+}
+```
+
+## Python Ping Sweep:
+
+The following python script can be used to perform a ping scan. 
+```
+#!/usr/bin/env python3
+import ipaddress
+from subprocess import Popen, DEVNULL
+
+for ping in range(1, 254):
+        address = "x.x.x.%d" % ping
+        response = Popen(["ping", "-c1", address], stdout=DEVNULL)
+        output = response.communicate()[0]
+        val1 = response.returncode
+        if val1 == 0:
+                print(address)
+```
+This script is specifically used for a /24 network. Modification required for other network types. 
+
+# 802.lQ Cisco Dynamic Trunking Protocol (DTP) 
+
+## Dtpscan
+
+Source: https://github.com/commonexploits/dtpscan
+
+DTPscan will passively sniff the network and detect which switchport mode the switch is configured in to assist with VLAN hopping attacks.**
+
+`./dtpscan.sh`
+
+## Yersinia
+
+In Kali: sudo apt install yersinia
+
+Running yersinia: 
+
+```
+$ sudo yersinia -h
+
+Usage: yersinia [-hVGIDd] [-l logfile] [-c conffile] protocol [protocol_options]
+       -V   Program version.
+       -h   This help screen.
+       -G   Graphical mode (GTK).
+       -I   Interactive mode (ncurses).
+       -D   Daemon mode.
+       -d   Debug.
+       -l logfile   Select logfile.
+       -c conffile  Select config file.
+  protocol   One of the following: cdp, dhcp, dot1q, dot1x, dtp, hsrp, isl, mpls, stp, vtp.
+
+Try 'yersinia protocol -h' to see protocol_options help
+
+Please, see the man page for a full list of options and many examples.
+Send your bugs & suggestions to the Yersinia developers <[email protected]>
+
+MOTD: M4t30 31337 M4t30 31337 M4t30 31337 M4t30 31337 M4t30 31337
+
+```
+
+Once a VLAN has been identified, a virtual interface can be configured within Kali Linux:
+
+```
+modprobe 8021q
+vconfig add <interface> <vlan_number>
+dhclient <interface>.<vlan_number>
+```
+
+Verifying our 
+To check this is configured correctly the `ifconfig <interface>.<vlan_number>` or `ip a` commands can be ran.
+
+Reference: https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Berrueta_Andres/BH_EU_05_Berrueta_Andres.pdf

Obsidian Pentest Template 1.0/Obsidian Pentest Template 1.0/1. Recon Notes/Host Scans/Masscan.md

@@ -0,0 +1,41 @@
+#recon #scanning-enumeration
+## Scanning targets
+- masscan 172.21.10.0
+- masscan 172.21.10.0/24 172.21.0.0/16
+- masscan 172.21.10.0/24 --excludeFile <File>
+- masscan 172.21.10.0/24 --exclude 172.21.10.254
+
+## Scanning for services: 
+- masscan  172.21.10.1 -p 80
+- masscan  172.21.10.1 -p 0-65535
+- masscan  172.21.10.1 -p 80,443
+- masscan 172.21.10.0/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
+"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\
+ -oL "output.txt"
+# UDP Scan
+- masscan 172.21.10.1 -pU 53
+
+## Report only open ports
+masscan 10.0.0.1 --open-only
+
+# Other Options
+## Offline Mode (Reviews how fast the program runs without the transmit overhead)
+- masscan 0.0.0.0/24 --offline
+
+## Obtaining Service banners:
+- masscan 172.21.10.1 --banners
+
+## Set masscan to use a source ip
+masscan 10.0.0.1 --source-ip 192.168.1.200
+
+## Change the default user agent
+masscan 10.0.0.1 --http-user-agent <user-agent>
+
+## Save sent packet in PCAP
+masscan 10.0.0.1 --pcap <filename>
+
+# References:
+
+- https://github.com/robertdavidgraham/masscan
+- https://danielmiessler.com/study/masscan/
+