This document contains both Custom Queries that you can import/run directly in Bloodhound, as well as as custom queries that you can run from within the Neo4j GUI directly.
cd /root/.config/bloodhound curl -o "customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"
Once downloaded, just restart Bloodhound and you’ll see the Custom Queries available.
Within Neo4j GUI
In the Neo4j console (by default http://localhost:7474/browser/), you can run your own queries to get data out of the Bloodhound database. I like to do this for ease of copy/paste when report writing.
Find all computers that have an unsupported Operating System.
MATCH (H:Computer) WHERE H.operatingsystem =~ '.(2000|2003|2008|xp|vista|7).' RETURN H.name, H.operatingsystem
MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|me|7).*' RETURN H.name,H.operatingsystem
Find all enabled users who are member of a particular group, such as Domain Admins.
MATCH (u:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@<domain>'}) WHERE u.enabled = TRUE return u.name
Find all users that contain a keyword.
MATCH (u:User) WHERE u.name CONTAINS "<keyword>" return u.name, u.displayname, u.description, u.group
Print the name of all enabled users and their description field.
MATCH (n:User) WHERE n.enabled = TRUE RETURN n.name, n.description
There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.
This post will be updated as time goes on.
Understanding the Packet Capture
Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.
Viewing Protocol Statistics: In the Menu, click on Statistics and select Protocol Hierarchy.
Filtering HTTP
If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.
View all plaintext HTTP GET requests: http.request.method == "GET"
View all plaintext HTTP POST requests: http.request.method == "POST"
Filtering by specific redirect location: http.location == login_success.php
To export HTTP objects (such as images or pages): Select File. Click on Export Objects, and then HTTP.
Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.
Filtering FTP
FTP is pretty simple, since all traffic is sent in plaintext.
To view all FTP related traffic: ftp
To export FTP objects (such as transferred files): Select File. Click on Export Objects, and then TFTP.
Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.
Filtering SMB
SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.
To view packets related to SMB files: smb.file
To export SMB objects (such as transferred files): Select File. Click on Export Objects, and then SMB.
This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.
Performing Whois lookups
We can utilize public WHOIS databases to perform lookups on domains. https://lookup.icann.org/
It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar. https://www.namecheap.com/domains/whois/
We can also utilize a Kali terminal for this: whois <targetDomain>
You can use additional options to instruct the tool to use a different server. whois -h whois.godaddy.com <targetDomain>
Performing DNS enumeration with Nslookup
To perform a lookup of the A records against a particular domain: nslookup <targetDomain>
To look up the mail records: nslookup -query=mx <targetDomain>
To look up Nameservers: nslookup -query=ns <targetDomain>
To get all records that are available: nslookup -query=any <targetDomain>
You can also drop into nslookup with no parameters interactively. nslookup
While interactively working with nslookup, you can set your query: set q=mx
You can also set your server if you wanted to query a different DNS server than your default one: server 8.8.8.8
Performing DNS enumeration with Dig
To extract A records and Namerservers of a domain: dig <targetDomain>
To query just A records: dig <targetDomain> A
You can also limit the output to a specific record, and just return the answer section: dig +nocmd <targetDomain> MX +noall +answer
Can attempt a DNS Zone transfer: dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>
Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques. fierce -dns <targetDomain>
You can also specify a specific DNS server for the tool to use. fierce -dns <targetDomain> -dnsserver <targetNamserver>
We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack. dnsenum <targetDomain>
You can also specify a specific DNS server for the tool to use. Sometimes the results will differ. dnsenum <targetDomain> --dnsserver <targetNamserver>
You can use DNSEnum to brute force subdomains as well. dnsenum <targetDomain> -f <dictionaryList>
DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist. dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt
DNSMap to enumerate subdomains in bulk fashion: dnsmap-bulk.sh domains.txt /tmp/results.txt
DNSRecon is an ‘all-in-one’ tool that can do most everything. dnsrecon -d <targetDomain>
Google and Bing Dorking
Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search: ip:<targetIP>
Search Google for results within a particular website: insite:<targetURL>
Search Google for specific filetypes: insite:<targetURL> filetype:pdf
Search Google for particular text in title: insite:<targetURL> intitle:admin insite:<targetURL> intitle:index of
Search Google for particular text in body: insite:<targetURL> intext:admin insite:<targetURL> intext:index of
Using Nmap for a pingsweep without port discovery: sudo nmap -PE -sn -n <ipRange> -oA nmap/pingsweep
Using Nmap for pingsweep, with top 20 port discovery: sudo nmap -PE -n <ipRange> --top-ports 20
Using Nmap to scan UDP ports: sudo nmap -sU <ipRange>
Using Nmap for ARP Scan: sudo nmap -PR -sn <ipRange>
Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Nmap command to scan DNS port 53 with a source port of 53: sudo nmap -sS --source-port 53 -p 53 <ipRange> -oA nmap/dns-servers
Hping
Hping is also useful as its always a good idea to get a 2nd opinion. The following will scan a specific port with 3 SYN packets. sudo hping3 -S <ipAddr> -p <port> -c 3
To use Hping to scan a port range, but exclude port 525: sudo hping3 -S --scan '80,445,500-550,!525' <ipAddr> -V
To use Hping for UDP scans: sudo hping3 -2 --scan 1-1000 <ipAddr>
Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Hping command to scan DNS port 53 with a source port of 53: sudo hping3 -S -s 53 -k -p 53 <ipAddr>
Host Enumeration Using FPing
We can leverage fPing to do a quick search on the network for alive hosts. fping -A <targetIP>
We can also add an option to limit the number of retries attempted, speeding up the execution. fping -A <targetIP> -r 0
Adding another option will allow us to view the time it took to retrieve the reply. fping -A <targetIP> -e
To sweep a network efficiently, without retires, and only display the alive hosts: fping -q -a -g 10.0.0.0/24 -r 0 -e
From within a Meterpreter session:
Display the network adapters and their associated IP addresses: ifconfig
Display nearby machines on the network: arp
Display entries on the local routing table: route
Perform an ARP scan for a given IP range: run arp_scanner -r 10.0.0.0/24
View existing configured routes in Metasploit: route print
Forward specific port to a remote host, through the Meterpreter session. Any traffic send to the local port of our localsystem will route through the Meterpreter session. portfwd add -l <localPort> -p <remotePort><destinationIP>
Handy Metasploit modules:
Run a ping sweep through a compromised system: use post/multi/gather/ping_sweep
Configure a Metasploit route for pivoting: use post/multi/manage/autoroute
You can also configure a route while interacting with a Meterpreter session: run autoroute -s <subnet>
Run a TCP port scan (you may want to configure a route first): use auxiliary/scanner/portscan/tcp
NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality.
Note: In Linux environments, NFS is sometimes used as a home directory server.
Using ShowMount
To list the available NFS shares, you can use the following: showmount -e <ipAddr>
To list the connected clients, you can use the following: showmount -a <ipAddr>
Mounting NFS Shares
First, we’ll need to create a mount point in Kali. sudo mkdir /mnt/nfs-share
Then we can mount the open share to it. sudo mount -t nfs <ipAddr>:/<shareName> /mnt/nfs-share
Then you can change into the mounted share. cd /mnt/nfs-share
Enumerating Mounted NFS Shares
Once you’ve mounted a share (using the above steps), we’ll want to enumerate them to see what they have and what permission you have to interact with it.
Obviously you can then read/copy files, but testing to see if you can write/delete is an important step. touch test rm test
Can you overwrite existing files? For example, say that Web.config was present in the share. Try the following: touch /tmp/Web.config mv /tmp/Web.config /mnt/nfs-share/Web.config
Sometimes interacting with the share directly can be slow, so it may be helpful to run the following command. This will get a list of all the files in the share along with their associated permissions, and write that into a text document locally on your machine. This will let you search through this local file to hunt for handy files rather than querying the remote system each time. find . -ls > /tmp/nfs-share.dir
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 5985 on a machine. This list is far from exhaustive and will be updated as time progresses.
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.
Enumerating Hostname of Server
Run the following commands to see if you can make the server leak its own hostname.
nslookup server <targetIP> 127.0.0.1 127.0.0.2 <targetIP>
Note: It’s probably worth enumerating other live hosts on the network to confirm the domain name is the same.
Performing DNS enumeration with Nslookup
To perform a lookup of the A records against a particular domain: nslookup <targetDomain>
To look up the mail records: nslookup -query=mx <targetDomain>
To look up Nameservers: nslookup -query=ns <targetDomain>
To get all records that are available: nslookup -query=any <targetDomain>
You can also drop into nslookup with no parameters interactively. nslookup
While interactively working with nslookup, you can set your query: set q=mx
You can also set your server if you wanted to query a different DNS server than your default one: server 8.8.8.8
Performing DNS enumeration with Dig
To extract A records and Namerservers of a domain: dig <targetDomain>
To query just A records: dig <targetDomain> A
You can also limit the output to a specific record, and just return the answer section: dig +nocmd <targetDomain> MX +noall +answer
Can attempt a DNS Zone transfer: sudo dig @<targetDNSServer><targetDomain> -t AXFR +nocookie
Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques. fierce -dns <targetDomain>
You can also specify a specific DNS server for the tool to use. fierce -dns <targetDomain> -dnsserver <targetNamserver>
We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack. dnsenum <targetDomain>
You can also specify a specific DNS server for the tool to use. Sometimes the results will differ. dnsenum <targetDomain> --dnsserver <targetNamserver>
You can use DNSEnum to brute force subdomains as well. dnsenum <targetDomain> -f <dictionaryList>
DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist. dnsmap <targetDomain>
DNSRecon is an ‘all-in-one’ tool that can do most everything. dnsrecon -d <targetDomain>
Using DNSRecon to enumerate hostnames within local subnet.
We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.
-n : Will be the nameserver to use. -r : Will be the network “range” that you want to lookup records for. --db : Will save the found records to a SQLite DB file.
dnsrecon -n <ipAddr> -r <subnet> --db target.db
If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:
This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 389 on a machine. This list is far from exhaustive and will be updated as time progresses.
Let’s start by performing a search with simple authentication:
ldapsearch -h <targetIP> -x
If you get results back, let’s run the following command to try and get additional details out.
ldapsearch -h <targetIP> -x -s base namingcontexts
Based on the results, you’ll want to extract details about the primary Domain Component. For example, based on the above output, our next command would look like this.
ldapsearch -h <targetIP> -x -b "DC=htb,DC=local"
This should output a ton of information that you can then redirect to a file. If you do redirect to a file, the following commands may be helpful for extracting specific details.
If you wanted to query LDAP directly, you can do so by adding your query to the end of your ldapsearch command. For example, we can find details of objects that have a class of “Person” by running the following command:
If you find UDP ports 500 or 4500, the box is likely running some sort of IPSEC VPN tunnel. This post intends to serve as a guide for enumerating these ports and a list of tools that can help you.
Table of Contents
Helpful Commands
Installing IPSEC VPN Client on Linux
Installing IPSEC VPN Client on Windows
Troubleshooting IPSEC Errors
Helpful Commands
To extract the hash, or preshared key, you can run the following command as long as Aggressive mode is enabled.
ike-scan --aggressive <targetIP>
If this fails, you can run the following command to extract some details about the VPN configuration, such as what hashing format and encryption algorithms are being used.
ike-scan -M <targetIP>
Notice that the LifeDuration may be returned in Hex format. You can take this value and identify what its decimal format is to get the life duration in seconds using the following command.
python -c 'print int("<hex>", 16)'
To confirm whether or not the VPN is using IKE version 2, you can run the following command. If it returns successful output, then you know IKEv2 is in use.
ike-scan -M -2 <targetIP>
Note that Nmap scans across an established IPSEC connection will need to run with -sT to get accurate results. The default for Nmap is to run with SYN scans (-sS).
Installing IPSEC VPN Client on Linux
In this example, I will show how to connect to the challenge on Hack The Box called Conceal. Please note that this post does not intend to serve as a walk through or write-up of this machine, but rather is being used as an example for configuring IPsec tunnels.
On Linux, you can use StrongSwan to connect to VPN servers.
sudo apt install strongswan -y
To begin, let’s edit our /etc/ipsec.secrets file so that it contains the PSK (Pre-Shared Key) for our VPN server. This will allow StrongSwan to authenticate to our VPN server when we go to use the tool. You can view the man page of this configuration file by running “man ipsec.secrets”.
sudo vi /etc/ipsec.secrets
Add the following line:
<targetIP> %any : PSK "<presharedKey>"
Note: You need to provide the key in its unencrypted/non-hashed format.
Next, we need to edit our IPsec configuration file so that it contains the configuration of our VPN. You can view the man page of this configuration file by running “man ipsec.conf”.
sudo vi /etc/ipsec.conf
This is where things will vary based on the configuration of your VPN, but this is what is needed for things to work on the Conceal box. You will need to take the output from the commands we ran earlier to know exactly what values to enter for each of these. Refer to the man page for ipsec.conf as needed.
While this configuration should work in most cases, Conceal was a bit tricky. It was configured to only allow TCP ports over the VPN, rather than the default of both UDP and TCP. Because of this, we actually had to add two additional lines.
With our configuration in place, let’s try establishing our connection!
sudo ipsec start --nofork
Things to consider:
You may or may not need the fragmentation item in the above config(s), depending on how the VPN server is configured.
If you’re having weird issues, you can run the following command in an attempt to improve the connection. sudo ifconfig <interface> mtu 1000
Note that Nmap scans across an established IPSEC connection will need to run with -sT to get accurate results. The default for Nmap is to run with SYN scans (-sS).
Installing IPSEC VPN Client on Windows
To begin, let’s launch Windows Defender Firewall with Advanced Security.
Navigate to Connection Security Rules, and then create a New Rule.
We want to create a Custom rule, and then click Next.
Within EndPoint 1, click on These IP Addresses and then select Add. You’ll want to enter the IP address of your interface that you’ll use to connect to the VPN.
Do the same thing with Endpoint 2, but specify the destination host or network. When finished, the populated window should have items in both panes, and then you can click Next.
Select the proper Authentication Method.
If using a Preshared Key, select Next in the above listed window, then select Advanced and click Customize.
Then click on Add, select Preshared Key, enter it, and then click OK.
Select the necessary Protocol/Port configurations. In some cases, your VPN tunnel may only allow UDP or TCP and not always both.
Infinite Logins 