offsecvault - Knowledge Base



 ▒█████    █████▒ █████▒ ██████ ▓█████  ▄████▄ ██▒   █▓ ▄▄▄       █    ██  ██▓  ▄▄▄█████▓
▒██▒  ██▒▓██   ▒▓██   ▒▒██    ▒ ▓█   ▀ ▒██▀ ▀█▓██░   █▒▒████▄     ██  ▓██▒▓██▒  ▓  ██▒ ▓▒
▒██░  ██▒▒████ ░▒████ ░░ ▓██▄   ▒███   ▒▓█    ▄▓██  █▒░▒██  ▀█▄  ▓██  ▒██░▒██░  ▒ ▓██░ ▒░
▒██   ██░░▓█▒  ░░▓█▒  ░  ▒   ██▒▒▓█  ▄ ▒▓▓▄ ▄██▒▒██ █░░░██▄▄▄▄██ ▓▓█  ░██░▒██░  ░ ▓██▓ ░ 
░ ████▓▒░░▒█░   ░▒█░   ▒██████▒▒░▒████▒▒ ▓███▀ ░ ▒▀█░   ▓█   ▓██▒▒▒█████▓ ░██████▒▒██▒ ░ 
░ ▒░▒░▒░  ▒ ░    ▒ ░   ▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒  ░ ░ ▐░   ▒▒   ▓▒█░░▒▓▒ ▒ ▒ ░ ▒░▓  ░▒ ░░   
  ░ ▒ ▒░  ░      ░     ░ ░▒  ░ ░ ░ ░  ░  ░  ▒    ░ ░░    ▒   ▒▒ ░░░▒░ ░ ░ ░ ░ ▒  ░  ░    
░ ░ ░ ▒   ░ ░    ░ ░   ░  ░  ░     ░   ░           ░░    ░   ▒    ░░░ ░ ░   ░ ░   ░      
    ░ ░                      ░     ░  ░░ ░          ░        ░  ░   ░         ░  ░       
                                       ░           ░

    OFFENSIVE |
    DEFENSIVE |
    CTF |
    TOOLS |
    ABOUT 



Reconnaissance

Files to check

Windows
%SYSTEMROOT%\System32\drivers\etc\hosts | >>> local DNS entries.
%SYSTEMROOT%\System32\drivers\etc\networks | >>> network configuration.
%SYSTEMROOT%\System32\config\SAM | >>> user and passwords saved in hash format.
%SYSTEMROOT%\repair\SAM | >>> backup copy of SAM file.
%SYSTEMROOT%\System32\config\RegBack\SAM | >>> another backup copy of SAM file.
%SYSTEMROOT%\Prefetch | >>> prefetch dir [.exe logs]
%SYSTEMROOT%\System32\ntds.dit | >>> active directory database.
%SYSTEMROOT%\NTDS\ntds.dit | >>> active directory backup
%WINDIR%\system32\config\AppEvent.Evt | >>> application logs
%WINDIR%\system32\config\SecEvent.Evt | >>> security logs
 Note: %SYSTEMROOT% and %WINDIR% are environmental paths used in Windows OS, both, represents the C:\Windows directory.


Linux
/etc/passwd | >>> contains information regarding registered system users.
/etc/shadow | >>> stores actual password in encrypted format (hash).
/etc/fstab  | >>> contains the description of what disk devices are available at the specific mount points.
/etc/hosts  | >>> contains host names and their corresponding IP addresses used for name resolution for a local DNS.
/etc/crontab | >>> parent shell script to run commands periodically. (hourly, daily, weekly, and monthly).
/etc/bash.bashrc | >>> shell script that configures bash, create alias, functions, prompt settings & more.
/etc/resolv.conf | >>> list of domain name servers (DNS) used by the local machine.
/etc/profile | >>> contains linux system wide environment and startup programs (environmental PATH).
/etc/sudoers | >>> file permissions that tells sudo that users run what commands.
/etc/yum.conf | >>> yum configuration file.
/etc/motd | >>> “Message Of The Day”, file that contains the message the users gets at login.
/etc/issue | >>> information about the OS (release version and/or kernel info).
/var/log/messages | >>> contains different logs generated during the boot process.
/proc/meminfo | >>> memory usage related information.
/proc/cpuinfo | >>> cpu usage related information.
/proc/mount | >>> mounted file systems drives info.
/proc/stat | >>> detailed statistics of the system.




Open Source Intelligence | OSINT

Domains | IP's


 bulkblacklist.com | >>> check reputation of IP addresses or domains in bulk.



 virustotal.com | >>> analyze suspicious files and URLs, hash, files, IP address & more.


 mxtoolbox.com | >>> check different info from domains, emails, IP addresses & more. 


 threatcrowd.org | >>> check threat information starting from domains, IP’s, email address  & more. 



 ipleak.net | >>> check IP’s or domains. 





Domains


 dnsdumpster.com | >>> dns recon, domains – subdomains & more.


 urlscan.io | >>> check for redirection, reputation and visualization of a webpage.


 urlvoid.com | >>> check for potential malicious websites.


 whois.net | >>> secure domain name searches.




IP Address


 ipinfo.io | >>>  check IP address location, ASN info & more. 


 robtex.com | >>> IP numbers, domain names, host names, autonomous systems, routes etc.


 talosintelligence.com | >>> analyze suspicious files and URLs, hash, files, IP address & more. 


 abuseipdb.com | >>> check IP address, network or domain location & reputation.




IOT


 camarasvialescr.com | >>> check info from webcams live-stream. country: Costa Rica. 


 shodan.io | >>> get information of lots of different IoT devices around the world. 




CVE's Database


 archive.org | >>> big timeline database of the internet.


 exploit-db.com | >>> very common exploit database.


 cve.mitre.org | >>> list of publicly disclosed cybersecurity vulnerabilities.


 cvedetails.com | >>> security vulnerability data-source.




Leaks


 dehashed.com | >>> get associated passwords leaked for specific email addresses.


 haveibeenpwned.com | >>> database of leaks, check if your email address was compromised or not.


 haveibeenzucked.com | >>> check if your personal data was part of the Facebook breach 2019.


 wikileaks.org | >>> search on Wikileaks.




Hardware


 devicehunt.com | >>> check info related to USB devices or system drivers.


 the-sz.com | >>> check for references about USB devices by Product ID, Vendor ID or name.




Web


 crxcavator.io | >>> check different Chrome extensions by ID to discover versioning, risk score & more.


 useragentstring.com | >>> check for different user_agents.




IoC's | Malware


 alienvault.com | >>> check for IoC’s.


 virustotal.com | >>> analyze suspicious files and URLs, hash, files, IP address & more.


 urlhaus.com | >>> find malicious URLs that are being used for malware distribution.


 malwarebazaar | >>> find malware samples.


 threatfox | >>> find IoC's from malware sample.




Human


 pimeyes.com | >>> face search engine & reverse image search.


 mailinator.com | >>> public email box.


 crunchbase.com | >>> find investors, companies, acquisitions & more.




GEO Localization


 maxmind.com | >>> GEO localization.




Decode | Decrypt


 unshorten.it | >>> inspect for real URLs behind a shortened URL.


 unicodelookup.com | >>> check for real unicode characters.





Enumeration
NMAP Usage
dirb/dirbuster/gobuster Usage
wfuzz Usage
sslyze Usage
SQLmap Usage


Domain Enumeration
PowerShell | Domain Enumeration
PowerShell | Bypass AV Signatures





Resource Development



Initial Access



Execution
Spawn a TTY shell



Persistence



Privilege Escalation

Windows
 fuzzysecurity | >>>  Windows Privilege Escalation Fundamentals 
 TCM | >>>  Windows Privilege Escalation 
 PayloadAllTheThings 



Linux
 PayloadAllTheThings 




Defense Evasion



Credential Access
Hydra Usage
John The Ripper Usage
Rocky You Wordlist



Discovery



Lateral Movement



Collection



Command & Control C2



Exfiltration



Protocols & Ports
HTTP or Hypertext Transfer Protocol | >>> 80 | TCP 
HTTPS or HTTP over TLS/SSL | >>> 443 | TCP/UDP 
DNS or Domain Name System | >>> 53 | UDP 
FTP or File Transfer protocol | >>> 20,21 | TCP 
SFTP or Secure File Transfer Protocol | >>> 115 | TCP 
SSH or Secure Shell | >>> 22 | TCP/UDP 
Telnet | >>> 23 | TCP 
NTP or Network Time Protocol | >>> 123 | UDP 
LDAP or Lightweight Directory Access Protocol | >>> 389 | TCP/UDP 
LDAP over TLS/SSL | >>> 636 | TCP 
LDAP Global Catalog | >>> 3268 | TCP 
SNMP or Simple Network Management Protocol | >>> 161,162 | TCP/UDP 
NetBIOS or Network Basic Input/Output System (session service) | >>> 135,139 | TCP/UDP 
MSRPC | >>> 135 | TCP/UDP 
NetBIOS Datagram Service | >>> 138 | UDP 
SMTP or Simple Mail Transfer Protocol | >>> 25 | TCP 
POP or Post Office Protocol | >>> 110 | TCP 
IMAP4 or Internet Message Access Protocol | >>> 143 | TCP/UDP 
RDP or Remote Desktop Protocol | >>> 3389 | TCP/UDP 
IRC or Internet Relay Chat | >>> 194 | TCP 
SMB or Server Message Block | >>> 445 | TCP 
TACACS or Terminal Access Controller Access-Control System | >>> 49 | TCP 
Kerberos | >>> 88 | TCP 
NFS or Network File System | >>> 2049 | TCP 
PPTP or Point to Point Tunneling Protocol | >>>  1723 | TCP 



Tools Usage
netcat usage
seclists
Powershell Usage



Certifications
eWPT | Web Penetration Tester